Two-factor authentication may be ineffective against hacking because online bandits have been able to exploit a vulnerability in Signalling System 7 (SS7) to steal money from bank accounts.
Among other things, the SS7 global infrastructure allows cell phones to stay connected on a network or different networks on an uninterrupted basis from one cell tower to the next as users travel in cars or trains. As Natural News previously explained, the protocol can be repurposed for evil deeds such as surveillance.
Unfortunately, it can also allow fraudsters to intercept sensitive communications such as security codes for and reroute them.
Banking portals, as well as other websites unrelated to financial transactions, often require or recommend a two-step login process for customers to access an account, i.e., entering a password plus a randomly generated additional password texted to the user’s cell phone number. The latter is meant to add an additional layer of security, but that’s where the potential trouble comes in, according to Ars Technica.
Specifically, the attackers used SS7 to redirect the text messages the banks used to send one-time passwords. Instead of being delivered to the phones of designated account holders, the text messages were diverted to numbers controlled by the attackers. The attackers then used the mTANs — short for “mobile transaction authentication numbers” — to transfer money out of the accounts.
Hackers apparently carried out these attacks in Germany earlier this year. German authorities subsequently blocked the foreign network provider from where the attacks were carried out. (RELATED: Read more about hacking at Cyberwar.news.)
Lawmakers in the US, such as Rep. Ted Lieu, have called upon the FCC and the telecommunications industry to eliminate the SS7 security flaw, foreseeing that such a crime could become an issue.
Malware can also compromise two-step verification.
According to the Daily Mail, hackers need to get hold of the first step in the verification process, consisting of a username and password, for this scam to work, however. With that mind, never employ the same password across multiple sites.
To avoid intercepted SMS messages, ArsTechnica recommends cryptographically based security keys as the second step or, in the alternative, a dedicated smartphone app for this purpose.
The SS7 protocol is what most of the world’s cellular networks use to transmit voice and data and is expected to be deployed for about 10 more years before the telecommunications industry replaces it with more sophisticated technology.
If your bank uses two-step verification for online account access, it might be a good idea to check with them to determine what security measures are in place to address this potential vulnerability. ” [A]nyone who uses two-factor is a potential victim,” Wired cautioned.