Mobile phone security's been busted for years, and now 2-factor auth is busted too

The SS7 vulnerability has long been understood and publicized: anyone who spends $1000 or so for a mobile data roaming license can use the SS7 protocol to tell your phone company that your phone just showed up on their network and hijack all the traffic destined for your phone, including those handy SMSes used to verify sketchy attempts to log into your bank account and steal all your money.


SS7 is now confirmed to be exploited in the wild, with crooks taking big scores through it.

It's a kind of parable about security theater and denial. The SS7 warnings have been coming for years in a rising chorous, and yet the carriers and phone vendors insisted it wasn't a problem and the services that relied on its integrity for two-factor auth powered on, building their 2FA on the slopes of the SMS volcano as though it wasn't belching smoke and threatening to erupt at any moment.

For years, researchers, hackers, and even some politicians have warned about stark vulnerabilities in a mobile data network called SS7. These flaws allow attackers to listen to calls, intercept text messages, and pinpoint a device's location armed with just the target's phone number. Taking advantage of these issues has typically been reserved for governments or surveillance contractors.

But on Wednesday, German newspaper The Süddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help drain bank accounts.

This is much bigger than a series of bank accounts though: it cements the fact that the SS7 network poses a threat to all of us, the general public. And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts.


We Were Warned About Flaws in the Mobile Data Backbone for Years. Now 2FA Is Screwed.
[Joseph Cox/Motherboard]

(Image: Alcinoe Calahorrano/PD)