Two days ago, a friend who invested in Bitcoin asked me how secure her Coinbase investment was. She had plans to put her coins in cold storage, but as a security stopgap was relying on two-factor authentication (2FA) through Coinbase, as many people do. My main question: What kind of two-factor?
The problem with 2FA is that often a distinction isn't made between SMS-based 2FA, which sends a code to the user via text, and 2FA that requires a user to respond to a push verification sent to a specific physical device. Security researchers at Positive Technologies have demonstrated yet another reason that the former is bad news. After identifying the Gmail account associated with a Coinbase account, they were able to use the well-known security holes in Signaling System 7 (SS7) — an international telecom protocol that allows phone networks to route texts and calls between users — to intercept the SMS-based verification code to commandeer it, theoretically draining all of the cryptocurrency stored within. All the researchers needed was a name, a phone number and an educated guess about a user's Gmail account, as you can see in the demo video below.
"Exploiting SS7 specific features is one of several existing ways to intercept SMS," said Positive Technologies Telecommunications Security lead Dmitry Kurbatov. "Unfortunately, it is still impossible to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology."
In spite of the security community's warnings, this particular hack isn't just hypothetical — it actually showed up to wreak havoc in German banks earlier this year.
The difference between the kinds of two-factor authentication might seem subtle, but it's worth repeating. Because users can check text messages across devices (through iMessage, Google Voice, etc.), text-based 2FA spreads out the potential attack surface. Instead of a code being sent to one place — like a purpose-built smartphone app or a separate authenticator device — it's distributed throughout a set of services that might have their own vulnerabilities. True two-factor authentication, the good kind, sends a verification prompt to one place: the device you're holding in your hand. SMS-based 2FA is vulnerable not only to hackers who might be leveraging technical loopholes in SS7, but also to any social engineer willing to talk their way around a Verizon employee.
What's also worth repeating are the known security concerns around SS7. In March, Oregon Senator Ron Wyden and California Representative Ted Lieu — two of the tech-savviest members of Congress — wrote a letter to the Department of Homeland Security demanding to know what the U.S. government was doing to combat the threat and spread awareness about its existence. It's important to remember that any government actively exploiting SS7 for surveillance purposes might drag their feet in sounding the alarm. Of course, SS7 doesn't just open Coinbase to hacks — it could impact any service that offers an SMS-based 2FA option.
"This hack would work for any resource that uses SMS for password recovery," Kurbatov told TechCrunch. "If a hacker is able to repeat the same logic of password recovery via SMS to get access to the account, then the attack works."
To deal with this, Kurbatov suggests that users have a separate phone number for online services through something like Google Voice. Beyond that, there isn't much consumers can do to protect themselves against an SS7-based exploit, they can choose app-based 2FA methods like Duo or Google's iOS in-app feature and demand that all companies provide a non-SMS 2FA option to help users prove that they are who they say they are. Until that becomes the universal standard, expect to see this kind of vulnerability getting more attention from security researchers and hackers alike.