For years, researchers have warned of the design flaws in Signalling System No. 7, an internationally used telecom protocol to route texts and calls. SS7 is what lets you receive an SMS text, and remains widely used by banks and other services to send out OTP and two-factor authentication (2FA) codes to their customers.
Security researchers Positive Technologies have demonstrated just how they were able to exploit this SS7 flaw, which has been openly vulnerable for years.
By intercepting text messages in transit, the researchers were able to easily take control of a Gmail account, the Coinbase Bitcoin wallet associated to it, and empty out all funds in the wallet.
A video posted by Positive Technologies showed how easy it was to hack into a Bitcoin wallet:
Bearing in mind, this form of attacks is not limited to cryptocurrency wallets alone, but any service using two-step verification such as your bank account, Facebook or Gmail.
SS7 was created in the 1980s, and these known vulnerabilities are nothing new. The real weakness resides in the cellular system itself.
As it appears that network operators are unable to patch the SS7 issues anytime soon, users will have to take their own preventive measures if they want to avoid such attacks.
For now, avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor. Other tools that can be used as an alternative are Google Authenticator or Google prompt for extra security.