How To Hack Gmail & Bitcoin Wallets With Just A Name & Phone Number

How To Quickly Spot Scam Emails: 5 Things To Know
September 26, 2017
The Ultimate Guide to Your Smartphone’s Mobile Privacy You Need to Know
October 11, 2017

How To Hack Gmail & Bitcoin Wallets With Just A Name & Phone Number

For years, researchers have warned of the design flaws in Signalling System No. 7, an internationally used telecom protocol to route texts and calls. SS7 is what lets you receive an SMS text, and remains widely used by banks and other services to send out OTP and two-factor authentication (2FA) codes to their customers.

Security researchers Positive Technologies have demonstrated just how they were able to exploit this SS7 flaw, which has been openly vulnerable for years.

By intercepting text messages in transit, the researchers were able to easily take control of a Gmail account, the Coinbase Bitcoin wallet associated to it, and empty out all funds in the wallet.

 

HOW THEY EMPTIED FUNDS FROM A BITCOIN WALLET

A video posted by Positive Technologies showed how easy it was to hack into a Bitcoin wallet:

  • In their demonstration, the Positive Technologies researchers started by using Google’s service to find a Gmail account with just a phone number.
  • After the email was identified, they initiated a password reset request by sending a one-time authorisation token to a victim’s phone number.
  • Since the victim’s phone number is known in this scenario, hackers can exploit the SS7 weakness to intercept the SMS text containing the code for account recovery.
  • This allows the hacker to choose a new password and take control of the Gmail account.
  • From there, all the hacker needs to do is head to the Coinbase account with the compromised Gmail account, and perform another password reset. Thus, allowing them access to the Coinbase account and to the Bitcoin wallet.

 

WHERE IS THE PATCH?

Bearing in mind, this form of attacks is not limited to cryptocurrency wallets alone, but any service using two-step verification such as your bank account, Facebook or Gmail.

SS7 was created in the 1980s, and these known vulnerabilities are nothing new. The real weakness resides in the cellular system itself.

As it appears that network operators are unable to patch the SS7 issues anytime soon, users will have to take their own preventive measures if they want to avoid such attacks.

For now, avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor. Other tools that can be used as an alternative are Google Authenticator or Google prompt for extra security.

 

Leave a Reply

Your email address will not be published. Required fields are marked *