Bitcoin Forum

Although various researchers have already warned about security vulnerabilities in the 3G network, it seems that problems continue to be detected in 4G and even in the 5G network, which should logically correct the flaws from previous standards.

If one wonders what the consequences are for users who may become victims of 4G/5G network hacking, read the following :


From this it follows that the greatest threat to crypto users is intercept of SMS which some use as 2FA on crypto exchanges. Of course, this is a targeted attack that does not require excessive knowledge and requires equipment that can be purchased for as little as $200. Unfortunately, repair of such flaws is only possible by replacing the hardware on the part of the operator and on the part of the user, which of course is completely impracticable at the moment.

Advice for anyone using mobile networks and crypto is to be on the lookout, especially if it is public knowledge that you own a significant amount of money in crypto.

https://techcrunch.com/2019/02/24/new-4g-5g-security-flaws/

Sorry if this might sound stupid, will the risk of losing crypto from this kind of attack be lessened using Google 2FA instead of SMS 2FA? Also, how does these 4G/5G networks gets attacked? What I understand as of now is that an attacker can get my exact mobile number, hear conversations from my calls, and read messages I send.

---

Thank you.

---

Replies are highly appreciated. When it comes to technical topics like this, I'm quite slow digesting all those informations.

Flaws in 4G and 5G aside, for all the really bad news concerning sim-swaps that's been spreading since forever, SMS 2FA is a very bad idea to start with.

Yes, because the SMS message itself is what's going to be potentially be stolen afaik. Google 2FA codes can't be stolen unless you're device itself is infected(and rooted).

Thank you for those informations, so it seems better to avoid 2FA by SMS when you hold big amounts of cryptos on a platform. And at least better to avoid to connect 3G/4G/5G networks if you are using it.

The article provided by the OP explained how. It was said that even people with little knowledge about cellular paging protocols can do their own intercepting in both the 4g and 5g network. What's worst about that is they aren't only able to intercept calls amd messages but they can also track your phone's location or give some targeted phishing attacks, this simply mean that not only they can intercept your calls and texts they can also send you fake ones which is really scary to think. For a 4g/5g user I think there is no other solution here but to avoid sending important information through text and calls right now.

Bttzed03, as I mentioned earlier, these are the attacks in which the victims are targeted, which means that you have to be relatively close to someone, have the necessary equipment and knowledge to carry out such an attack.

As far I know Google codes can be sent via SMS, by voice call or via mobile app, which would mean that they are in part vulnerable to such attacks. If you are interested in the technical details I suggest you read the article and also the link at the bottom of the article that leads to the previous research.

There is no room to panic, this is just a warning that the things we take for granted are not exactly what they seem.

Thanks for sharing this information Lucius. The solution sounds crazy because replacing the hardware isn't a viable option at all.

I will give a warning to my close friends to have their coins in the phone, I always think that was a bad ide, but they think the risk was zero.

Yes, this vulnerability only affects a means of 2FA that was already vulnerable. Everybody should have stopped using SMS for 2FA years ago.
 

TOTP codes from Google Authenticator can't be stolen this way. However, it's worth noting that Google does offer 2FA via SMS or phone call (https://support.google.com/accounts/answer/185839?co=GENIE.Platform%3DAndroid&hl=en).

We should probably specify TOTP (Authenticator) or U2F (YubiKey) when making recommendations, just to be safe.

What if I get an email OTP on top of that SMS that's sent as a 2fa? This email thing was used to be an additional measurement of authentication when I used blockchain.info (but it used to be inverse where email comes first). Can't this email thing (if set alone and no 2fa) with a very strong password work out as an alternative if SMSes and calls are not to be trusted?

Stedsm, this is about the interception of mobile data, which with the help of special equipment can be used for illegal purposes. So everything that travels by air can be intercepted in some way, which does not mean that any data can be misused because they are encrypted. However, I think that such flaws (and some other unknown ones) are mostly used by the secret services of all countries of the world in spying on bad people, but of course there are abuses as always.

Regarding one-time password (OTP) via e-mail, it should be much safer than 2FA SMS. Although they are known cases that some users of blockchain.com (info) are hacked no matter what they used e-mail verification. But this probably has nothing with this flaws in mobile networks standard.

Some may say that I am too paranoid, but for all sensitive operations I use exclusively my landline internet connection, although in exceptional cases I need to use a 4G mobile network, but only thing that I'm worried about is crypto security. So no 2FA over SMS, and hardware wallet (Nano X) as mobile wallet provide me with a satisfactory level of security.