Reliable SMS interception leaves 2FA accounts open to attack

SMS messages

Text messages via SMS are often used as part of two-factor authentication strategies to protect login accounts.

But a new and worrying study from Positive Technologies shows that real-world attempts to intercept SMS messages are 100 percent successful.

The underlying technology behind mobile networks -- Signaling System No 7 (SS7) -- has had known flaws for some time. This latest report looks at major mobile operators in Europe and the Middle East and reveals that virtually every network examined allows eavesdropping on conversations and reading of incoming text messages.

Fraud was found to be possible on 78 percent of networks, and all networks contain dangerous vulnerabilities with which an attacker could disrupt subscriber access to services. Clearly if an attacker is able to intercept messages containing 2FA codes it leaves a whole range of services, including bank accounts open to attack.

"Operators are waking up to the risks and starting to act: all the networks we tested in 2017 had a SMS Home Routing system. One third of networks had a system for filtering and blocking signaling traffic," says Dmitry Kurbatov, head of telecom security at Positive Technologies. "This remains only a stopgap measure at best, however. Every network today is vulnerable, whether due to equipment misconfiguration or architectural shortcomings of SS7 signaling networks, which cannot be fixed with the options currently available."

The report concludes that only a comprehensive security approach can minimize these hazards. Such an approach would involve regular network audits, proper network configuration, non-stop monitoring of signaling traffic, and timely detection of illegitimate activity.

You can find out more about the problem in the full report, available from the Positive Technologies website.

Image credit: ra2studio/

20 Responses to Reliable SMS interception leaves 2FA accounts open to attack

© 1998-2023 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.