Two-factor security is so broken, now hackers can drain bank accounts

Criminals have exploited a known flaw in how calls and text messages travel around the world to redirect a two-factor code for a person's bank account.
Written by Zack Whittaker, Contributor

We've known for years that a key protocol that allows global cellular networks to communicate with each other had vulnerabilities -- and nobody really took it that seriously.

Hackers and politicians alike have been warning for years that these flaws in the calling and text message routing system, known as Signaling System 7 (SS7), can be used to intercept and redirect calls and text messages, allowing hackers to eavesdrop on almost any phone in the world.

Now, financially driven hackers are using the weakness to intercept text messages that deliver two-factor codes to bank customers to break in and empty their bank accounts, according to a report in a German newspaper.

It's likely the first known account of the SS7 vulnerability being exploited in the wild by a malicious actor, rather than for demonstrative purposes.

According to the newspaper, the attackers would try to get into a person's bank account. Armed with their username and password -- possibly recycled from another breach -- they would log in to their victims' online banking account. Trouble is, they may not be able to get past the two-factor code, which sends a code or a phone call to a trusted device -- like a phone -- to ensure nobody else can log in.

By intercepting the call or text message using equipment, which the German newspaper said can be sold for around €1,000 ($1,100 in today's conversion), the attackers can use the code to get full access to the bank account -- and send money to any other account they want.

Some networks fare better than others, but nobody has fixed the vulnerabilities -- likely because of the thought-to-be low risk for consumers versus a high cost and difficulty to fix.

That might have to change, now that potentially any text message-based two-factor authentication might be at risk -- social networking accounts, banking logins, and email accounts, to name a few.

"Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw," said Rep. Ted Lieu (D-CA) in a statement. Lieu is one of the few members of Congress with a computer science background -- and who allowed hackers to eavesdrop on his phone during a 2015 episode of CBS "60 Minutes."

"Both the Federal Communications Commission and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number," he added, before urging Congress to hold "immediate hearings" on the matter.

Just last year, the National Institute of Standards and Technology (NIST) said that it would deprecate its advice -- albeit, not entirely advise against -- for text message-based authentication, because it wasn't as secure as other forms of two-factor authentication -- such as apps, like Google Authenticator and Authy, which use end-to-end encryption to send two-factor codes.

The problem is many apps don't provide app support for two-factor codes. You can check on this website though, which shows which sites, services, and companies support "software tokens."

And if you haven't ventured into two-factor territory yet -- you really should. We even have a handy step-by-step guide to help you through.

Editorial standards