Researchers used long-standing vulnerabilities in the Signalling System No. 7 (SS7) telecom network protocol to gain access to and steal from a test account that they recently registered on the Coinbase bitcoin exchange platform.
According to Positive Technologies, whose researchers pulled off the video demonstration, all that was initially needed to compromise the Coinbase account via SS7 was the account holder’s first and last names and phone number. Researchers also needed the account holder’s Gmail address, but they managed to obtain that information as well by capitalizing on SS7’s flaws.
By exploiting SS7, which many experts say lacks the necessary safeguards to prevent abuse, the researchers were able to intercept SMS text messages that are sent to the phone numbers of Gmail or Coinbase users who are trying to reset their passwords using two-factor authentication. Anyone with access to the SS7 system can intercept such texts, which contain verification codes that users must enter in order to update their account credentials. By stealing these codes, attackers can easily take over the corresponding accounts. In Coinbase’s case, this could result in users being drained of their virtual funds.
In a press release, Positive Technologies noted that a real-life attack of this nature occurred in Spring 2017, when cybercriminals intercepted texts containing online banking authentication codes that were sent to customers of German mobile company Telefonica Germany (O2), and used these codes to carry out financial transactions.
“Unfortunately, it is still impossible to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology,” said Dmitry Kurbatov, head of telecommunications security department at Positive Technologies, in the release. “All telecom operators should analyze vulnerabilities and systematically improve the subscriber security level.”