* Known vulnerability in text message protocol lets hackers intercept text messages
* Analysts and privacy experts have been warning companies about flaw for years
* Hackers can use these vulnerabilities to intercept passwords and more
It’s still the easiest (and best) extra security measure, but new reports highlight a known vulnerability in text software that could allow hackers to intercept your verification texts.
The Signaling System 7 (SS7) software is a text routing system that makes it possible for telecom companies to communicate with each other. Essentially, it’s the protocol used to send messages from one company to another. For months now, analysts have been warning companies about the known flaw in the software, but until recently it was all but hypothetical.
Now, hackers in Germany have been able to use this flaw to successfully carry out a massive bank heist, intercepting verification messages and using them to log into people’s bank accounts and empty their savings.
The German newspaper Süddeutsche Zeitung first reported how these hackers were able to log into people’s accounts using various usernames and passwords they already had — though how they got hold of this information is still unknown. Once they tried logging into a person’s account, a verification message was sent containing a separate passcode. The hackers were then able to exploit the SS7 flaw to intercept these verification messages and therefore gain complete and unfettered access to a person’s bank account.
This was the first time hackers actually used this flaw for personal profit, and it brings to light a much bigger problem: every service that offers two-factor verification through SMS text is at risk.
Until companies start taking note and increase the security protocols around SMS verification texts, it’s important that you be aware of the information you’re sending and receiving. Make an effort to change your passwords often (as a hacker needs passwords to use in conjunction with your verification codes.)
Additionally, more secure verification services like Apple iMessage and Google Authentication are smart alternatives as they offer their own form of two-factor authentication and automatically encrypt every text that is sent and received.