Hackers Can Now Sneak Past Two-Step Authentication, Thanks To A Glaring Security Flaw


Phones are vital to every day existence. We stay in touch with loved ones, answer work emails, play silly games, and use them to follow our favorite thirst traps on Insta. They’re also a centerpiece of two-factor authentication — used to make changes, or log into certain secure accounts. In an increasing number of situations, you need to have both your password and a code that’s texted to you. Problem: This two-factor authentication, or 2FA, is now effectively worthless, as hackers have figured out a way around it thanks to the dumbest security flaw on the planet.

2FA has already revealed itself to be less secure than once believed, but this newest attack is way too simple to ignore: They can simply redirect your phone calls. The problem here is that phone networks are built on Signal System No. 7, SS7 for short. First designed in 1975, SS7 handles non-voice communications, including text messages and call forwarding over phone networks and it was never really designed for a world where supercomputers in pockets were connected to each other. The only thing safeguarding this network was the fact that you have to get some sort of access to it, which, until recently, only governments could really pull off.

But in 2014, it came out that it would be easy for hackers to use basic functions of the SS7 system for malicious purposes, like tracking your phone or listening to your calls. In fact, the German researchers who found the vulnerabilities specifically warned that fraud would be a major problem if the system wasn’t fixed, as the tools made intercepting any communication, from phone calls to text messages, easy. Now, those fears have been confirmed. Hackers, it turns out, have been using SS7 to redirect text messages to other phones, essentially tricking your phone into thinking it’s roaming, and then using that to get a bank to send you an authentication code via text. Once they have the code, they can crack your account.

The only good news is that hackers need a lot of data to rob you, not just your phone number. They also need your password, your bank account number, and some other data which they generally get with phishing attacks. So, we’ll say it yet again: Be skeptical of random emails asking you to click something!

The main question now is how widespread this attack will get before cellular networks and banks do something about it. In the meantime, take the usual precautions: If it’s been a while since you’ve changed your password, go do that, and use different passwords for each bank you have. And, if you have 2FA, contact the banks where you use it and ask about your options for better security.

(via Motherboard)