It’s super easy to fall into the trap of feeling safe because the online service you’re using utilizes a second layer of identity verification known as two-step verification. This involves either an SMS message sent to your phone number through the carrier network, or a one-time code generated by an app such as Google Authenticator or Authy.
In theory the two-step verification system protects users when shopping online or when logging in to an account from a new device or new location. The reality, however, looks very different. This process builds on a flawed system that provides hackers with a backdoor through which they can access user data: intercept SMS messages, eavesdrop on your phone calls, and track your location.
The Flawed SS7
What gives hackers these remote surveillance powers is the Signalling System No 7 (SS7), and goes by the name Common Channel Signalling System 7 (CCSS7) in the U.S. and Common Channel Interoffice Signaling 7 (CCIS7) in the UK. It is a system that connects one wireless carrier network to another, a set of protocols that allows phone networks to exchange the information needed to make calls and send SMS messages between each other for proper billing. It also enables wireless subscribers to roam on a carrier network when traveling in a foreign country.
SS7 vulnerabilities have been around for years, and security researchers have warned telecommunication companies countless times to patch them but, despite their promises, actual progress in closing those security loopholes has been little to none. In other words, the carriers ignored it. You can ignore it too, but – as the cases detailed below highlight – there is a real danger out there, and there’s every chance that you could be the next target.
Cybercriminals Drain Bank Accounts in Germany
In May 2017, Germany’s O2-Telefonica confirmed that some of its customers’ bank accounts were drained because hackers successfully used the security flaws of SS7. This enabled them to intercept two-step verification codes sent to online banking customers and empty their bank accounts during the night.
Bitcoin Wallet Hacked via SMS Interception
In a video demonstration provided to Forbes, Positive Technologies security researchers have shown they need only the target’s phone number and name to hack their Gmail account and steal Bitcoins from them. First, hackers used Gmail to find an email account with just a phone number. After identifying the email address, a password reset process was initiated, which automatically prompted the system to send a one-time authorization code to the target’s phone number. By exploiting the SS7 weakness, the researchers were able to intercept the SMS message containing the code and take over the Gmail account. From that moment on, stealing Bitcoins was a piece of cake.
SIM Swap Fraud
According to the U.S. Fair Trade Commission (FTC), phone account hijacking, known as SIM swap fraud, is rising: while in January 2013 there were only 1,038 reported incidents, that grew to 2,658 such incidents in January 2016, representing 6.3% of all identity thefts reported to the FTC that month. SIM swap can be done in various ways, even remotely by deploying SIM malware, or by calling the telecommunication companies’ customer service and hijacking a mobile phone account in the victim’s name.
How to Protect Yourself Against the SS7 Flaw and Identity Theft
If you’re now thinking it’s a good time to change your passwords and stop using the two-step verification method, you’d be right. That extra layer of security can be counterbalanced with a strong (more than 12-character-long) password, using our password recipe. However, changing the passwords to more secure ones usually requires additional effort from the brain to remember them, so it’s easier to use a password manager.
In addition, you should make use of the extra layer of security that carriers provide. AT&T and T-Mobile, for example, have a feature requiring users to provide a passcode for any online or phone interactions with a customer rep. Sprint and Verizon users can set a PIN and choose security questions when setting up the service. As always, change your passwords at least as often as the password manager of choice suggests.
Best Password Managers of 2019