An architecture flaw in mobile networks could allow hackers to intercept SMS one-time passwords and access Bitcoin wallets.
The vulnerability uncovered by enterprise security specialist Positive Technologies means that with just a person's first name, last name, and phone number, researchers were able learn the email address linked to the wallet, obtain control over it, and gain access to the wallet itself including withdrawing funds.
The attack is made possible due to a flaw in the Signaling System No 7 (SS7) protocol used by most of the world's telephone networks. SS7 was developed in 1975 and has made the news before when vulnerabilities allowing cell phone users to be secretly tracked were uncovered in 2008 and in 2014.
Positive Technologies is one of the first companies to pay attention to SS7 security flaws relating to banking systems. Attacks exploiting these vulnerabilities can be launched from anywhere, which is a great benefit to attackers. In spring 2017, the first cases of attacks exploiting SS7 were registered in Germany leading to money being stolen from bank accounts. Cyber criminals intercepted texts with online banking authentication codes sent to customers of Telefonica Germany (O2), a German mobile operator, and used them to carry out unauthorized transactions.
"We work in close coordination with telecom operators to discover threats before hackers do, in order to protect subscribers," says Dmitry Kurbatov, head of telecommunications security department at Positive Technologies. "Exploiting SS7 specific features is one of several existing ways to intercept SMS. Unfortunately, it is still impossible to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology. All telecom operators should analyze vulnerabilities and systematically improve the subscriber security level."
You can find out more about the attack method in the video below.