Using only a name and a phone number, hackers are able to compromise someone’s Google account and use it to get to that person’s bitcoins or bank account. This was showed to Forbes by the researchers from Positive Technologies.
Hackers can do this using a flaw in the global telecoms network, that affects what’s known as Signaling System No. 7 (SS7). In a demonstration video, researchers were able to take control of a Coinbase account and do whatever they wanted to with its funds, via an SS7 flaw. Taking into account that Coinbase has over 10.4 million users, a lot of bitcoin users are at risk. An SS7 weakness essentially allows anyone with access to the telecoms backbone to send and receive messages from specific cellphones, with some attacks allowing texts, calls, and location data to be intercepted by the hackers.
Positive Technologies’ researchers first used Gmail to find an email account with just a phone number. Then, they reset that account’s password, which prompted a one-time authorization code to be sent to the victim’s phone. Using their SS7 exploit, they intercepted the text and got the code, effectively taking control of the account.
The threat, as Forbes points out, doesn’t just affect bitcoin users, but anyone with anything linked to a Google account. Positive researcher Dmitry Kurbatov stated: “This hack would work for any resource – real currency or virtual currency – that uses SMS for password recovery.”
Even though this type of attack seems scary, there is a way to secure your bitcoins if they are in a Google account-linked wallet: stop using SMS for two-factor authentication. SS7 attacks, according to Forbes, don’t work when the two-factor authentication system is based on one-time codes like the Google’s Authenticator app.