Researchers from Positive Technologies have recently reported about a way to compromise Google accounts using only phone number and name. Once the account is hacked, cyber criminals are able to use it to gain access to victim’s Bitcoin and bank accounts.
Hackers have such opportunity due to a vulnerability in global telecom network. The flaw affects what is called Signaling System №7 (SS7). Researchers provided a video that shows them gaining access to a Coinbase account and using it however they wanted to. Considering that over 10.4 million Bitcoin users own a Coinbase account, this issue could potentially affect a lot of bitcoiners.
An SS7 flaw allows anyone with access to the telecom backbone to send and receive texts and messages, as well as intercept geolocation data.
The researchers were able to find a gmail account with just a phone number. In order to reset the password, they requested the one-time authorization code to be sent to the victim’s phone. After that, they used the exploit to change the password and take control over the account. Using the same method, they also gained access to victim’s Coinbase account.
Not only Bitcoin users, but anyone who has anything linked to their Google account may be affected by the threat. So far, the biggest difficulty for the hackers is accessing the SS7 itself. Positive Technologies’ researchers were given access to it by the network operators for research purposes. The hackers, however, would need to either buy access in dark web websites, or hack their way in.
How to keep your Bitcoins safe
It may appear that there is no way to protect your Bitcoins while the SS7 flaw still exists. However, if you start using apps like Google Authenticator instead of SMS two-factor authentication, hackers won’t be able to gain access to your account via your phone.
Apps that are based on one-time code, like Google Authenticator, are much safer than the SMS based two-factor authentication. Coinbase’s vice president of operations Daniel Romero recommends all customers to start using authentication apps.
Other potential solutions that prevent SS7 attacks are Google Prompt and security key. Always make sure that you’re using proper method to secure your Bitcoin account, and you won’t need to worry about its safety.