The SMS verification code based password resetting and 2FA are both vulnerable to attacks. Soon after the hacker get your phone number, he/she may reset the passwords of victims accounts by intercepting password reset verification code sent via SMS. Despite of having the victims account protected with 2FA, hackers can pass through the second authentication factor by intercepting SMS verification code, hence hijacking the account. This SMS interception attack is called SS7 redirection attacks (SRAs).

Papers:

T. Fox-Brewster, “All that’s needed to hack gmail and rob bitcoin: A name and a phone number”.

T. Moore, T.Kosloff, J. Keller, G. Manes, and S. Shenoi, “Signaling system 7 (SS7) network security,” 45th Midwest Symposium on Circuits and Systems, 2002

Peeters, Christian, et al. "Sonar: Detecting SS7 redirection attacks with audio-based distance bounding." 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 2018.

https://www.forbes.com/sites/thomasbrewster/2017/09/18/ss7-google-coinbase-bitcoin-hack/#43151cca41a4

”SMS SS7 Fraud”: https://www.gsma.com/newsroom/wp-content/uploads/2012/12/IR7031.pdf

More Eduard Babulak's questions See All
Similar questions and discussions