Disclaimer: We sustain our work & review products through paid collaborations.
Why You Should Stop Using Two-Step Verification via SMS

Why You Should Stop Using Two-Step Verification via SMS


It’s super easy to fall into the trap of feeling safe because the online service you’re using utilizes a second layer of identity verification known as two-step verification. This involves either an SMS message sent to your phone number through the carrier network, or a one-time code generated by an app such as Google Authenticator or Authy.Linkedin sms

In theory the two-step verification system protects users when shopping online or when logging in to an account from a new device or new location. The reality, however, looks very different. This process builds on a flawed system that provides hackers with a backdoor through which they can access user data: intercept SMS messages, eavesdrop on your phone calls, and track your location.

Linkedin SMS verification code

The flawed SS7

What gives hackers these remote surveillance powers is the Signalling System No 7 (SS7), and goes by the name Common Channel Signalling System 7 (CCSS7) in the U.S. and Common Channel Interoffice Signaling 7 (CCIS7) in the UK. It is a system that connects one wireless carrier network to another, a set of protocols that allows phone networks to exchange the information needed to make calls and send SMS messages between each other for proper billing. It also enables wireless subscribers to roam on a carrier network when traveling in a foreign country.

SS7 vulnerabilities have been around for years, and security researchers have warned telecommunication companies countless times to patch them but, despite their promises, actual progress in closing those security loopholes has been little to none. In other words, the carriers ignored it. You can ignore it too, but – as the cases detailed below highlight – there is a real danger out there, and there’s every chance that you could be the next target.

Cybercriminals drain bank accounts in Germany

In May 2017, Germany’s O2-Telefonica confirmed that some of its customers’ bank accounts were drained because hackers successfully used the security flaws of SS7. This enabled them to intercept two-step verification codes sent to online banking customers and empty their bank accounts during the night.

Bitcoin wallet hacked via SMS interception

In a video demonstration provided to Forbes, Positive Technologies security researchers have shown they need only the target’s phone number and name to hack their Gmail account and steal Bitcoins from them. First, hackers used Gmail to find an email account with just a phone number. After identifying the email address, a password reset process was initiated, which automatically prompted the system to send a one-time authorization code to the target’s phone number. By exploiting the SS7 weakness, the researchers were able to intercept the SMS message containing the code and take over the Gmail account. From that moment on, stealing Bitcoins was a piece of cake.

60% off RoboForm for Best Reviews readers
RoboForm logo
Commit to RoboForm using Best Reviews' exclusive discount and enjoy a discount of 60% off the regular price.
/goto/roboform/ Click to show code

SIM swap fraud

According to the U.S. Fair Trade Commission (FTC), phone account hijacking, known as SIM swap fraud, is rising: while in January 2013 there were only 1,038 reported incidents, that grew to 2,658 such incidents in January 2016, representing 6.3% of all identity thefts reported to the FTC that month. SIM swap can be done in various ways, even remotely by deploying SIM malware, or by calling the telecommunication companies’ customer service and hijacking a mobile phone account in the victim’s name.

How to protect yourself against the SS7 flaw and identity theft

If you’re now thinking it’s a good time to change your passwords and stop using the two-step verification method, you’d be right. That extra layer of security can be counterbalanced with a strong (more than 12-character-long) password, using our password recipe. However, changing the passwords to more secure ones usually requires additional effort from the brain to remember them, so it’s easier to use a password manager. 1password generator In addition, you should make use of the extra layer of security that carriers provide. AT&T and T-Mobile, for example, have a feature requiring users to provide a passcode for any online or phone interactions with a customer rep. Sprint and Verizon users can set a PIN and choose security questions when setting up the service. As always, change your passwords at least as often as the password manager of choice suggests.


Best password managers of 2025

Editors' choice

RoboForm

Editor's rating:
Identifies weak, reused passwords
Future-ready, seamless logins
Easy to use
Budget-friendly
Families

LastPass

Editor's rating:
Logical interface
Automated password categorization
Advanced mobile version
Various two-factor authentication options
Businesses

1Password

Editor's rating:
Keeps your data fully private
Protects against unauthorized access
Protects against unauthorized access
One-time password support
Security features

Keeper

Editor's rating:
Protects against data breaches
Works on all major devices
Budget-friendly
Help when you need it
Personal use

NordPass Personal

Editor's rating:
Keeps data safe and encrypted
Creates strong, unique passwords
Great value at no cost
Affordable premium upgrade
Password sharing

Dashlane

Editor's rating:
Updates weak passwords quickly
Encrypts your online traffic
Easy migration from other tools
Full mobile functionality
Local storage

Enpass

Editor's rating:
Comprehensive password management
No cost on desktops
Full control of your data
Keeps your info fully secure

Discussions

Share your thoughts, ask questions, and connect with other users. Your feedback helps our community make better decisions.

©2012-2025 Best Reviews, a clovio brand – All rights reserved