Cryptocurrency at risk from hackers intercepting one-time password messages.

A vulnerability in the architecture of mobile networks could enable hackers to intercept SMS one-time passwords and access Bitcoin wallets.

The flaw was discovered by Positive Technologies, which found that hackers would need only a person's first name, last name, and phone number to relieve them of their cryptocurrency cash.

By exploiting Signalling System Number 7 (SS7) vulnerabilities to intercept an SMS message with a one-time password, typical of two-factor authentication methods, the researchers were able to discover the email address linked to the wallet, gain control over it, and then access the wallet itself.

Once they had the account password for the wallet, they were easily able to withdraw cryptocurrency.

SS7 was developed in 1975 and is used to exchange data including texts and billing and also to connect one mobile network to another.

PT was one of the first to find problems with the protocol. In spring 2017, the first cases of attacks exploiting SS7 were registered in Germany, in which money was stolen from bank accounts. Cybercriminals intercepted texts with online banking authentication codes sent to customers of Telefonica Germany, a German mobile operator, and used them to carry out unauthorised transactions.

"We work in close coordination with telecom operators to discover threats before hackers do, in order to protect subscribers,” said Dmitry Kurbatov, head of telecommunications security department at Positive Technologies.

“Exploiting SS7 specific features is one of several existing ways to intercept SMS. Unfortunately, it is still impossible to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology. All telecom operators should analyse vulnerabilities and systematically improve the subscriber security level."

However, Kaspersky Lab's principal security researcher, David Emm, doesn't believe this hack weakens the case for two-factor authentication, saying: "If my front door is broken, thereby making it easier for criminals to gain entry, it doesn't negate the value of front doors.

"It's to be hoped that the telecoms companies will take incidents and proof-of-concepts such as these as a wake-up call to take action to mitigate the risk of an attacker trying to subvert SS7 in this way."

A video demonstrating the attack can be found here.