A cellular network vulnerability may jeopardize your cryptocurrency. Texting uses the SS7 (Signalling System Number Seven) protocols worldwide. Unfortunately, SS7 vulnerabilities exist potentially allowing eavesdropping.

Attack

Suppose a Coinbase and Gmail user configures the Gmail account to use two factor authentication texts. Here is how an attacker, that knows the cell phone number, could obtain access to the Coinbase account:

1. Use the Gmail email address recovery procedure to determine the email address by reading the text sent. 2. Use the Gmail password reset procedure to gain access by reading the text sent. 3. Use the Coinbase password reset procedure to gain access by specifying the Gmail email address as the username, and, reading the email sent.

Here is a demonstration of this attack:

Solution

To protect yourself, use alternatives like the Google Authenticator smartphone application. These will only be safe , of course, if your smartphone does not have additional vulnerabilities. Make sure also that your solution does not lock you out of your accounts should you lose your phone!

Feedback

Feel free to leave any comments or questions below. You can also contact me by email at cs@etcplanet.org or by clicking any of these icons:

Acknowledgements

I would like to thank Spicyjack of the San Diego Kernel Panic Linux User Group (KPLUG) for his help with this article.

License

This work is licensed under the Creative Commons Attribution ShareAlike 4.0 International License.