Altcoins Talks - Cryptocurrency Forum
Crypto Discussion Forum => Cryptocurrency discussions => Topic started by: CryptoZenWorld on July 24, 2018, 02:16:02 AM
-
Researchers have been warning for years about critical issues with the Signaling System 7 (SS7) that could allow hackers to listen in private phone calls and read text messages on a potentially vast scale, despite the most advanced encryption used by cellular networks.
Despite fixes being available for years, the global cellular networks have consistently been ignoring this serious issue, saying that the exploitation of the SS7 weaknesses requires significant technical and financial investment, so is a very low risk for people.
However, earlier this year we saw a real-world attacks, hackers utilised this designing flaw in SS7 to drain victims' bank accounts by intercepting two-factor authentication code (one-time passcode, or OTP) sent by banks to their customers and redirecting it to themselves.
If that incident wasn't enough for the global telecoms networks to consider fixing the flaws, white hat hackers from Positive Technologies now demonstrated how cybercriminals could exploit the SS7 flaw to take control of the online bitcoin wallets to steal all your funds.
Created in the 1980s, SS7 is a telephony signalling protocol that powers over 800 telecom operators across the world, including AT&T and Verizon, to interconnect and exchange data, like routing calls and texts with one another, enabling roaming and other services.
While demonstrating the attack, the Positive researchers first obtained Gmail address and phone number of the target, and then initiated a password reset request for the account, which involved sending a one-time authorization token to be sent to the target's phone number.
Just like in previous SS7 hacks, the Positive researchers were able to intercept the SMS messages containing the 2FA code by exploiting known designing flaws in SS7 and gain access to the Gmail inbox.
From there, the researchers went straight to the Coinbase account that was registered with the compromised Gmail account and initiated another password reset, this time, for the victim's Coinbase wallet. They then logged into the wallet and emptied it of crypto-cash.
Fortunately, this attack was carried out by security researchers rather than cybercriminals, so there wasn't any actual fraud of bitcoin cryptocurrencies.
This issue looks like a vulnerability in Coinbase, but it's not. The real weakness resides in the cellular system itself.
Positive Technologies has also posted a proof-of-concept video, demonstrating how easy it is to hack into a bitcoin wallet just by intercepting text messages in transit.
Different SS7 Attack Scenarios
This attack is not limited to only cryptocurrency wallets. Any service, be it Facebook or Gmail, that relies on two-step verification are vulnerable to the attacks.
The designing flaws in SS7 have been in circulation since 2014 when a team of researchers at German Security Research Labs alerted the world to it.
The flaws could allow hackers to listen to phone calls and intercept text messages on a potentially massive scale, despite the most advanced encryption used by cellular network operators.
Last year, the researchers from Positive Technologies also gave demonstrations on the WhatsApp, Telegram, and Facebook hacks using the same designing flaws in SS7 to bypass two-factor authentication used by those services.
At TV program 60 Minutes, Karsten Nohl of German Security Research Labs last year demonstrated the SS7 attack on US Congressman Ted Lieu's phone number (with his permission) and successfully intercepted his iPhone, recorded call, and tracked his precise location in real-time just by using his cell phone number and access to an SS7 network.
Although the network operators are unable to patch the issues anytime soon, there's little a smartphone user can do.
Avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor.
Source: thehackernews.com
-
Researchers have been warning for years about critical issues with the Signaling System 7 (SS7) that could allow hackers to listen in private phone calls and read text messages on a potentially vast scale, despite the most advanced encryption used by cellular networks.
Despite fixes being available for years, the global cellular networks have consistently been ignoring this serious issue, saying that the exploitation of the SS7 weaknesses requires significant technical and financial investment, so is a very low risk for people.
However, earlier this year we saw a real-world attacks, hackers utilised this designing flaw in SS7 to drain victims' bank accounts by intercepting two-factor authentication code (one-time passcode, or OTP) sent by banks to their customers and redirecting it to themselves.
If that incident wasn't enough for the global telecoms networks to consider fixing the flaws, white hat hackers from Positive Technologies now demonstrated how cybercriminals could exploit the SS7 flaw to take control of the online bitcoin wallets to steal all your funds.
Created in the 1980s, SS7 is a telephony signalling protocol that powers over 800 telecom operators across the world, including AT&T and Verizon, to interconnect and exchange data, like routing calls and texts with one another, enabling roaming and other services.
While demonstrating the attack, the Positive researchers first obtained Gmail address and phone number of the target, and then initiated a password reset request for the account, which involved sending a one-time authorization token to be sent to the target's phone number.
Just like in previous SS7 hacks, the Positive researchers were able to intercept the SMS messages containing the 2FA code by exploiting known designing flaws in SS7 and gain access to the Gmail inbox.
From there, the researchers went straight to the Coinbase account that was registered with the compromised Gmail account and initiated another password reset, this time, for the victim's Coinbase wallet. They then logged into the wallet and emptied it of crypto-cash.
Fortunately, this attack was carried out by security researchers rather than cybercriminals, so there wasn't any actual fraud of bitcoin cryptocurrencies.
This issue looks like a vulnerability in Coinbase, but it's not. The real weakness resides in the cellular system itself.
Positive Technologies has also posted a proof-of-concept video, demonstrating how easy it is to hack into a bitcoin wallet just by intercepting text messages in transit.
Different SS7 Attack Scenarios
This attack is not limited to only cryptocurrency wallets. Any service, be it Facebook or Gmail, that relies on two-step verification are vulnerable to the attacks.
The designing flaws in SS7 have been in circulation since 2014 when a team of researchers at German Security Research Labs alerted the world to it.
The flaws could allow hackers to listen to phone calls and intercept text messages on a potentially massive scale, despite the most advanced encryption used by cellular network operators.
Last year, the researchers from Positive Technologies also gave demonstrations on the WhatsApp, Telegram, and Facebook hacks using the same designing flaws in SS7 to bypass two-factor authentication used by those services.
At TV program 60 Minutes, Karsten Nohl of German Security Research Labs last year demonstrated the SS7 attack on US Congressman Ted Lieu's phone number (with his permission) and successfully intercepted his iPhone, recorded call, and tracked his precise location in real-time just by using his cell phone number and access to an SS7 network.
Although the network operators are unable to patch the issues anytime soon, there's little a smartphone user can do.
Avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor.
Source: thehackernews.com
-
This topics will remind us to be careful in all of our so can't hackers can't hack our valuable information that might risk our hold crypto investment or other accounts most especially if it involves in money.
-
Hackers will hijack our Wallet by using the web phishing that we open. So we should be more careful when opening a web that must enter our personal data including Wallet and Private Key. So if anyone asks for Private Key to get airdrop or giveaway it is sure it will try to cheat and steal hijaking our wallet.
-
We should also be careful about the links we click in our emails. Most are hackers set up. In fact, one of the latest ways hackers try to steal funds from the unsuspecting is by sending emails with a projects name that the recipient is familiar with. They post a link that is suppose to belong to this project and ask the email receiver to click and check something or the other in the site. The minute you do that, a malware starts stealing information from your phone.
-
We should also be careful about the links we click in our emails. Most are hackers set up. In fact, one of the latest ways hackers try to steal funds from the unsuspecting is by sending emails with a projects name that the recipient is familiar with. They post a link that is suppose to belong to this project and ask the email receiver to click and check something or the other in the site. The minute you do that, a malware starts stealing information from your phone.
Yeah, this is a true say. I read a little about how hackers can steal useful and meaningful information from anybody, and often time through emails.
Clicking on links that is not from the right/original source is also another pattern used by them, and they do this by creating a similar page with a different extension which one will not easily recognise, and through this, ing of forms/password has been disclosed to them.
-
Most are hackers set up. In fact, one of the latest ways hackers try to steal funds from the unsuspecting is by sending emails with a projects name that the recipient is familiar with. They post a link that is suppose to belong to this project and ask the email receiver to click and check something or the other in the site.
-
this is a true say. I read a little about how hackers can steal useful and meaningful information from anybody, and often time through emails.
-
Computer geniuses can do whatever they want if we do not stick to even the elementary rules of security and anonymity.