PSA: Stop Using SMS / Text for 2 Factor Authentication (2FA) Access Codes Due to SS7 Vulnerability

Many people are becoming aware of enhanced security measures taken by banking, internet, email and other institutions.  Commonly known as “two-factor authentication” or 2FA, the user has a choice of receiving the one time PIN or password by text message or on an app loaded on the phone, known as an authenticator.  Another less common format is a security token that can be kept with the user; the token generates a PIN number randomly usually every minute.

Having your email hacked or bank account drained can be daunting for anyone, but for those of us who travel having this happen while you are in a foreign country or on an airplane with not internet access poses another problem and can easily ruin a trip.

If I have 2FA enabled, I’m safe, right?

In short, no, or maybe.  The answer is a bit complicated.  It really depends on HOW you have enabled 2FA.  If you use your text messaging or SMS to receive your code you are vulnerable. Why?  Read on…

Why is 2FA via text messaging or SMS not secure?

To fully understand why we have to look a little deeper and explain how cellular networks work. Specifically we have to understand how cellular networks are connected and why they need to be connected.  Because networks pass information such as text messages, billing information, roaming information and other data a connection called SS7 exists. This network has been vulnerable to hacks and outside access for a long time. Without getting very technical once someone has access to the SS7 network, your cellular movement, calls, and texts are easily accessible.  The text messages sent and received are not encrypted over SS7, so a hacker can read them.  If they have access to your messages, they can see any message, including PIN numbers from your bank, internet provider, email service, etc.  For more information and an example watch the video below.

So what can I do to protect myself?

Fortunately, you can use an alternate form of 2FA authentication instead of text / SMS services. The Two Factor Authorization website shows many different services that offer 2FA for access and the ways they support 2FA. It is important to switch to a hardware or software token, as we have already learned that phone calls and text messages are easily hacked.

What is a hardware or software token?

Generally hardware and software tokens are devices that generate a unique PIN every 60 seconds or at least on certain intervals.  A hardware token is usually small, similar in size to a USB drive or a credit card, and is something you carry with you.  A software token is an app you download to your phone and the app displays the unique PIN.

  • Google Authenticator is a software token.  It is available for Android and iOS and you can learn more on ZDNet.
  • Authy is another software token.  There is more information on ZDNet.
  • Hardware tokens are made by different manufacturers.  RSA is a major player in the hardware token arena.  Identity Automation also sells hardware tokens.

What is the future of 2FA?

The best form of 2FA would be automatic, and require no user authentication.  Already some authenticator apps offer the ability to push a single button and allow access to the site you want to access.  However; the next step would be automatic based on your surroundings.  According to the Multi-Factor Authentication Wikipedia page:

Advances in research of two-factor authentication for mobile devices consider different methods in which a second factor can be implemented while not posing a hindrance to the user. With the continued use and improvements in the accuracy of mobile hardware such as GPS, microphone, and gyro/acceleromoter, the ability to use them as a second factor of authentication is becoming more trustworthy. For example, by recording the ambient noise of the user’s location from a mobile device and comparing it with the recording of the ambient noise from the computer in the same room on which the user is trying to authenticate, one is able to have an effective second factor of authentication. This also reduces the amount of time and effort needed to complete the process.”

Do yourself a favor and update your 2FA methods before your next trip.  Safe travels.

This entry was posted in Trip Reports and tagged , .

About The Flying Detective

The Flying Detective has traveled around the world since the 1990's and has visited many countries. TFD has been involved in travel hacking since 2015 and enjoys free or discounted air travel and hotels. He writes trip reports and other articles that may be of interest to fellow travel hackers.

7 thoughts on “PSA: Stop Using SMS / Text for 2 Factor Authentication (2FA) Access Codes Due to SS7 Vulnerability

  1. Alex Natividad MD

    SS7 protocol was never meant for security but just for communication . 2FA via SMS is actually a good security layer solution. The problem was wrong implementation.
    Static codes were sent , thus when intercepted , can be copied, and thus the very reason for 2FA is no longer secure.
    The solution is to provide a dynamic 2FA, so in the event of intercept, it is useless to the hacker

    1. Shane the Flying Detective Post author

      If the hacker intercepts it and immediately uses it the dynamic concept is still flawed unless it is somehow encrypted. An additional layer of authentication / “pushback” with a fingerprint, facial scan, pin challenge, or some other identification method would be helpful as well.

  2. Ken Dillman

    That’s interesting info but the advice isn’t very helpful. You’ve basically said “Don’t use keys to lock your house’. Unfortunately to follow that advice, I have to buy all new locks for my doors. And in the case of websites, I don’t own the locks. I could carry a dozen tokens and have every software authentication program ever written, but if the website only offers SMS or unencrypted email as the second factor, I’m toting a bunch of boat anchors!

    1. Shane the Flying Detective Post author

      Software tokens allow for multiple websites to be accessed, so it’s not as bad as you might think. For example, one software key will display the random codes for multiple websites you may use, if you set them up.

  3. Pingback: Babies Get Free Flights?, Stop Using SMS For 2FA, Double Southwest Points Promo - BaldThoughts

  4. SS8

    A SS7 hack isn’t actually the most likely vulnerability to happen in the wild.

    Verizon Wireless users who are opted into Integrated Messaging are at risk & are actively exploited today – all you need is someone’s Verizon username/password & you can intercept all of their texts. Most Verizon customers don’t even know that they have it enabled because of how sneaky Verizon is about enabling it on Android phones.

    AT&T runs a similar service, but since theirs is protected by 2FA, it’s not an issue. I’d assume that T-Mobile DIGITS can be exploited similar to Verizon.

    1. Shane the Flying Detective Post author

      I agree it’s not the most likely, however it’s easy to do for those who want to do it, and those who have the skillset. Time has shown more sophisticated planning by the hackers, specifically merging databases, trying to aggregate information, and using multiple tiers of attack. This would be an easy logical step for big prizes like bank accounts, or email accounts.


Leave a Reply

Your email address will not be published. Required fields are marked *