It’s super easy to fall into the trap of feeling safe because the online service you’re using utilizes a second layer of identity verification known as two-step verification. This involves either an SMS message sent to your phone number through the carrier network, or a one-time code generated by an app such as Google Authenticator or Authy.
In theory the two-step verification system protects users when shopping online or when logging in to an account from a new device or new location. The reality, however, looks very different. This process builds on a flawed system that provides hackers with a backdoor through which they can access user data: intercept SMS messages, eavesdrop on your phone calls, and track your location.
What gives hackers these remote surveillance powers is the Signalling System No 7 (SS7), and goes by the name Common Channel Signalling System 7 (CCSS7) in the U.S. and Common Channel Interoffice Signaling 7 (CCIS7) in the UK. It is a system that connects one wireless carrier network to another, a set of protocols that allows phone networks to exchange the information needed to make calls and send SMS messages between each other for proper billing. It also enables wireless subscribers to roam on a carrier network when traveling in a foreign country.
SS7 vulnerabilities have been around for years, and security researchers have warned telecommunication companies countless times to patch them but, despite their promises, actual progress in closing those security loopholes has been little to none. In other words, the carriers ignored it. You can ignore it too, but – as the cases detailed below highlight – there is a real danger out there, and there’s every chance that you could be the next target.
In May 2017, Germany’s O2-Telefonica confirmed that some of its customers’ bank accounts were drained because hackers successfully used the security flaws of SS7. This enabled them to intercept two-step verification codes sent to online banking customers and empty their bank accounts during the night.
In a video demonstration provided to Forbes, Positive Technologies security researchers have shown they need only the target’s phone number and name to hack their Gmail account and steal Bitcoins from them. First, hackers used Gmail to find an email account with just a phone number. After identifying the email address, a password reset process was initiated, which automatically prompted the system to send a one-time authorization code to the target’s phone number. By exploiting the SS7 weakness, the researchers were able to intercept the SMS message containing the code and take over the Gmail account. From that moment on, stealing Bitcoins was a piece of cake.
According to the U.S. Fair Trade Commission (FTC), phone account hijacking, known as SIM swap fraud, is rising: while in January 2013 there were only 1,038 reported incidents, that grew to 2,658 such incidents in January 2016, representing 6.3% of all identity thefts reported to the FTC that month. SIM swap can be done in various ways, even remotely by deploying SIM malware, or by calling the telecommunication companies’ customer service and hijacking a mobile phone account in the victim’s name.
If you’re now thinking it’s a good time to change your passwords and stop using the two-step verification method, you’d be right. That extra layer of security can be counterbalanced with a strong (more than 12-character-long) password, using our password recipe. However, changing the passwords to more secure ones usually requires additional effort from the brain to remember them, so it’s easier to use a password manager.
Share your thoughts, ask questions, and connect with other users. Your feedback helps our community make better decisions.
©2012-2025 Best Reviews, a clovio brand –
All rights
reserved
