Stealing Bitcoins from online wallets with 2FA

[aleksej996]

I see people calling for 2FA as a safety mechanism for their accounts even tho there is a huge vulnerability in the mobile networks known for years now.
2FA just increases the complexity of the attack, it doesn't stop it at all. Here is an article from The Hacker News that came out today about using 2FA on Bitcoin online wallets like Coinbase, although they say that it isn't a vulnerability in Coinbase at all but in the mobile system design flaws instead.

https://thehackernews.com/2017/09/hacking-bitcoin-wallets.html

The conclusion here is that you shouldn't consider a mobile network safe.

[edynolan]

that possibility is just a threat from them.
very difficult to penetrate 2FA because the code is often changed

[coin-investor]

that possibility is just a threat from them.
very difficult to penetrate 2FA because the code is often changed

If you read the whole article, you can read that it's possible there is a flaw and

The flaws could allow hackers to listen to phone calls and intercept text messages on a potentially massive scale, despite the most advanced encryption used by cellular network operators.

I'm glad the penetration was done by experts and not from hackers so they can patch it.

[JasonXG]

Hmmmm.... Ya I don't know they make it sound like it is so easy when its not. What is this ss7 ?

I still don't think it's easy and it is ment to be a second defense not primary. I dont use SMS though I use the authenticator and I'm sure it's very safe.

[aleksej996]

Hmmmm.... Ya I don't know they make it sound like it is so easy when its not. What is this ss7 ?

There is a wikipedia article for more information https://en.wikipedia.org/wiki/Signalling_System_No._7

I still don't think it's easy and it is ment to be a second defense not primary. I dont use SMS though I use the authenticator and I'm sure it's very safe.

It is true that it is usually a second defense, although there are often account recovery options using a mobile phone. I am not sure about the authenticator, but if it works when your phone is not connected to the Internet then it is using SMS and the SMS might not be encrypted.

[Raxitto]

In the attack, hackers first went to Gmail, using the Google service to find an email account with only a phone number. Once the email account has been identified, hackers have initiated a password reset process, asking for unique authorization codes to be sent to the victim's phone. By exploiting the weaknesses of SS7, they were able to intercept text messages containing these codes, allowing them to choose a new password and take control of their Gmail account. They could simply go to the Coinbase website and make another password reset using the email they compromised. This type of attack is not just a threat that affects digital coins. This affects anything connected in the Gmail account, not to mention the complete loss of all these emails and the entire Google account.

[diskodasa]

of course hacker can hack mobile network by ss7 bug but it is very hard. we dont have luck to get hack by these hacker. and if you use authenticator by google you will dont need worry about this anymore

[Crypto_trader87]

I observe this setuation also in some of our friends we are suspecting that 2FA is also not safe for your money and bitcoins this days hackers are more invensible and most high tech that evrything they can hackp

[TanyaDegurechaff]

Even though its a possibility but there is a very low chance that someone will try to hack you if they don't even know how much btc in your account is. They wont spend huge amounts of time and effort just o hack an account that will turn out to have only a few amount in it. They will likely research first who's accounts may have a huge amount of btc in it and try to hack it. So for us who don't have huge amounts of btc are safe to this kind of attacks.

[joseafonso123az]

Well, for every technology advancement, there has always been an exploitaition attack. Many times the attacks occur a lot and get personal, but developers fast correct the bugs so that doesn't happen again. This will also be corrected some way, and after that, people will try to find other ways.This happens everywhere, even in real life. For example, when someone robs once a store, he might get caught. The second time he goes there he will have a new strategy to rob.  So this will always happen, it's how fast you solve the issue that matters!

[KuromaYoichi]

Well, there's always an exploit that can be used by hacker to get control of our account but adding 2fa makes it harder for them to get the control. If they have to choose, i'm sure they will prefer the one without 2fa as it's easier rather than the effort need to hack the one using 2fa. I don't consider a mobile network safe but it's certaninly better than nothing.

[JanpriX]

I see people calling for 2FA as a safety mechanism for their accounts even tho there is a huge vulnerability in the mobile networks known for years now.
2FA just increases the complexity of the attack, it doesn't stop it at all. Here is an article from The Hacker News that came out today about using 2FA on Bitcoin online wallets like Coinbase, although they say that it isn't a vulnerability in Coinbase at all but in the mobile system design flaws instead.

https://thehackernews.com/2017/09/hacking-bitcoin-wallets.html

The conclusion here is that you shouldn't consider a mobile network safe.

You should never feel safe with mobile network or online wallet at all. They both have vulnerabilities that can be exploited by hackers that do know the ins and outs of the network system. They can initiate a social engineering attack to a phone company where an individual's online crypto account is tied. After doing that, they can already access the said crypto account because the security of phone companies nowadays are very lax and not secure at all. The so-called "2FA" using the SMS services of these phone companies should not be considered in this age (2017) especially if you'll gonna use it to any crypto-related stuff.

[nrvasquez]

that possibility is just a threat from them.
very difficult to penetrate 2FA because the code is often changed

I agree with you. With a code that often changes I think it will still be difficult. and also to get into the wallet, I think there is a mistake made by the user of the wallet itself. eg using a malicious internet connection. A few hours ago I read there was lost about $ 550K in one wallet. and the cause is malicious wi-fi.

[ScripterRon]

Google Authenticator (or WinAuth on PC) is secure and does not rely on any network exchange.  Coinbase no longer recommends Authy and tells its users to use Google Authenticator.  If you use one of these programs, be sure to record the QR code (or the secret phrase) so you can recover the authenticators if you need to get a new phone.

[Lieldoryn]

I heard that there is a possibility to circumvent the protection using mobile phone. It's hard to do because the wallet will not let two users at the same time. So you need to block a phone owner. It is not difficult, but only in a mechanical way. If you have a large Bank account you are always at risk. That's why it's so important to keep their money in different purses and small amounts.

[nightwishx]

that person must be a genius. because I know 2fa has a good security standard. with the code changing frequently, I think it will be difficult even though many people are trying it out. but this guy made it through 2fa, I think he has his own way of doing it.

[olubams]

I see people calling for 2FA as a safety mechanism for their accounts even tho there is a huge vulnerability in the mobile networks known for years now.
2FA just increases the complexity of the attack, it doesn't stop it at all. Here is an article from The Hacker News that came out today about using 2FA on Bitcoin online wallets like Coinbase, although they say that it isn't a vulnerability in Coinbase at all but in the mobile system design flaws instead.

https://thehackernews.com/2017/09/hacking-bitcoin-wallets.html

The conclusion here is that you shouldn't consider a mobile network safe.

For every method to keep your wallet safe, there will always be a flaw in the system but so far, 2FA has been one way to guide against that because to get to that point an hacker getting access to your 2FA code then there must be serious compromise of the entire account even going beyond emails to include mobile number which is mostly attached to 2FA codes. The moment this option is no longer strong enough, I am sure other methods will be provided.

[CrazyCraig]

The article references a type of man in the middle attack with SMS messages. While harder, it is still possible to have your 2fa device breached with an app such as Authy as a copy of the data can be stored in your devices cloud backup.

You take steps to protect yourself by using a separate, non-service connected device to handle 2fa requests. You should also disable backups and use long complex passwords.

[sishahid]

Causes of cybersecurity in the current world are a headache now। Subscriber Identity Module cloning is now a threat to security. It is possible to steal the wallet with the possession of it. If the security aspects improve, it is possible to get rid of the hack.

[iram1011]

When it comes to mobile nothing is safe. That is why it is always advisable to have hardware or paper wallet instead of mobile or desktop wallet which are connected to internet. Any app or software can be infected to read data from users mobile or desktop that too very easily. I think people hardly read terms and conditions before downloading and simply grant permissions to apps when asked. These all things make mobile vulnerable only.