Why You Should Stop Using Two-Step Verification via SMS

By István F. — Verified by Sander D. — Last updated: December 12, 2024 — (0)

Table of contents

It’s super easy to fall into the trap of feeling safe because the online service you’re using utilizes a second layer of identity verification known as two-step verification. This involves either an SMS message sent to your phone number through the carrier network, or a one-time code generated by an app such as Google Authenticator or Authy.

In theory the two-step verification system protects users when shopping online or when logging in to an account from a new device or new location. The reality, however, looks very different. This process builds on a flawed system that provides hackers with a backdoor through which they can access user data: intercept SMS messages, eavesdrop on your phone calls, and track your location.

The flawed SS7

What gives hackers these remote surveillance powers is the Signalling System No 7 (SS7), and goes by the name Common Channel Signalling System 7 (CCSS7) in the U.S. and Common Channel Interoffice Signaling 7 (CCIS7) in the UK. It is a system that connects one wireless carrier network to another, a set of protocols that allows phone networks to exchange the information needed to make calls and send SMS messages between each other for proper billing. It also enables wireless subscribers to roam on a carrier network when traveling in a foreign country.

SS7 vulnerabilities have been around for years, and security researchers have warned telecommunication companies countless times to patch them but, despite their promises, actual progress in closing those security loopholes has been little to none. In other words, the carriers ignored it. You can ignore it too, but – as the cases detailed below highlight – there is a real danger out there, and there’s every chance that you could be the next target.

Cybercriminals drain bank accounts in Germany

In May 2017, Germany’s O2-Telefonica confirmed that some of its customers’ bank accounts were drained because hackers successfully used the security flaws of SS7. This enabled them to intercept two-step verification codes sent to online banking customers and empty their bank accounts during the night.

Bitcoin wallet hacked via SMS interception

In a video demonstration provided to Forbes, Positive Technologies security researchers have shown they need only the target’s phone number and name to hack their Gmail account and steal Bitcoins from them. First, hackers used Gmail to find an email account with just a phone number. After identifying the email address, a password reset process was initiated, which automatically prompted the system to send a one-time authorization code to the target’s phone number. By exploiting the SS7 weakness, the researchers were able to intercept the SMS message containing the code and take over the Gmail account. From that moment on, stealing Bitcoins was a piece of cake.

60% off RoboForm for Best Reviews readers

Commit to RoboForm using Best Reviews' exclusive discount and enjoy a discount of 60% off the regular price.

/goto/roboform/ Click to show code

SIM swap fraud

According to the U.S. Fair Trade Commission (FTC), phone account hijacking, known as SIM swap fraud, is rising: while in January 2013 there were only 1,038 reported incidents, that grew to 2,658 such incidents in January 2016, representing 6.3% of all identity thefts reported to the FTC that month. SIM swap can be done in various ways, even remotely by deploying SIM malware, or by calling the telecommunication companies’ customer service and hijacking a mobile phone account in the victim’s name.

How to protect yourself against the SS7 flaw and identity theft

If you’re now thinking it’s a good time to change your passwords and stop using the two-step verification method, you’d be right. That extra layer of security can be counterbalanced with a strong (more than 12-character-long) password, using our password recipe. However, changing the passwords to more secure ones usually requires additional effort from the brain to remember them, so it’s easier to use a password manager. 1password generator In addition, you should make use of the extra layer of security that carriers provide. AT&T and T-Mobile, for example, have a feature requiring users to provide a passcode for any online or phone interactions with a customer rep. Sprint and Verizon users can set a PIN and choose security questions when setting up the service. As always, change your passwords at least as often as the password manager of choice suggests.

Best password managers of 2025

Editors' choice

Editor's rating:

(4.5)

Effective security center

Passkey compatibility

Intuitive and organized interface

Affordable prices

Visit RoboForm
Reviews

Families

Editor's rating:

(4)

Logical interface

Automated password categorization

Advanced mobile version

Various two-factor authentication options

Visit LastPass
Reviews

Businesses

Editor's rating:

(4)

End-to-end encryption

Secure authentication method

Data breach alarms

One-time password support

Visit 1Password
Reviews

Security features

Editor's rating:

(4.5)

Robust security

Wide range of platform support

Affordable

Great customer support

Visit Keeper
Reviews

Personal use

Editor's rating:

(4.5)

Strong security features

Effective password generator

Excellent free version

Attractive price

Visit NordPass Personal
Reviews

Password sharing

Editor's rating:

(4)

Password changer

Built-in VPN

Flawless data import

Thorough iOS/Android app

Visit Dashlane
Reviews

Local storage

Editor's rating:

(4)

Packed with features

Free for desktop users

Offline password manager

End-to-end encryption

Visit Enpass
Reviews

Can You Trust Free Password Managers?

Best Ways To Keep Passwords Safe and Organized

Best Ways to Share Passwords Securely With Your Team

Leave a reply Cancel reply

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information and allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

50% off NordPass Personal

Why You Should Stop Using Two-Step Verification via SMS

The flawed SS7

Cybercriminals drain bank accounts in Germany

Bitcoin wallet hacked via SMS interception

SIM swap fraud

How to protect yourself against the SS7 flaw and identity theft

Best password managers of 2025

Related articles

User feedback

Leave a reply Cancel reply

Popular guides

Latest reviews

Best Reviews