Article posted: Oct 16, 2017
By Marcus Hartwig, Versasec GM Americas
Versasec has repeatedly warned that text messages should noy be used as two-factor authentication. Now, Positive Technologies has proved that point decisively but demonstrating the ease of hacking into a bitcoin wallet by intercepting a text message. The Verge reported Positive Technologies posted a video about how easy it is to access a bitcoin wallet by intercepting text messages in transit.
Here's how they did it. First, the group sought out a Coinbase account that was registered to a Gmail account, also protected by two-factor authenitcation. By uncovering known flaws in the cell network, the group was able to intercept all text messages sent to a mobile number for a set period of time.
By accessing the phone text data, the "hacker" was able to reset the password to the Gmail account and use the Coinbase wallet. All the group needed was the name, surname and phone number of the Bitcoin user.
While many are quick to blame Bitcoin for this type of breach, it's really a cellular network problem as every carrier uses the SS7 network to navigate calls and texts between phone numbers. The problem is there are known vulnerabilities on the network and experienced hackers can easily break into the system.
Why risk it? There are much better vehicles for deploying two-factor identification methods.
For example, our partner Yubico recently launched U2F YubiKeys, a hardware authentication device manufactured by Yubico that supports one-time passwords, public key encryption and authentication, and the Universal 2nd Factor (U2F) protocol developed by the FIDO Alliance (FIDO U2F), and can be used with all Google accounts to protect sensitive data from being hacked in popular Google applications, including Gmail, Chrome and Google Docs.
It's time to cease using SMS as a two-factor authenticator. It's been nearly a year since we applauded The National Institute of Standards and Technology (NIST) recommendation to put SMS-based two-factor authentication to pasture. Last October, we agreed with the NIST that dangers outweighed the benefits, citing one time passwords (OTPs) and SMS are far inferior to a true cryptographic logon with a smart card or virtual smart card. Passwords delivered via text offer weak or no authentication. And, as Positive Technologies illustrated, they are very easy to intercept.
To learn more about protecting your organization with the most-up-to-date multi-factor authentication, visit https://versasec.com.