about stark vulnerabilities in a mobile data network called SS7 . These flaws allow attackers to listen to calls , i ntercept Attack.Databreachtext messages , and pinpoint a device 's location armed with just the target 's phone number . Taking advantage of these issues has typically been reserved for governments or surveillance contractors . But on Wednesday , German newspaper The Süddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help d rain Attack.Databreachbank accounts . This is much bigger than a series of bank accounts though : it cements the fact that the SS7 network poses a threat to all of us , the general public . And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts . `` I 'm not surprised that hackers take money that is 'lying on the table ' . I 'm just surprised that online bank thieves took so long in joining spying contractors in abusing the global SS7 network , '' Karsten Nohl , a cybersecurity researcher who h as highlighted Vulnerability-related.DiscoverVulnerabilityvulnerabilities in SS7 , told Motherboard in an email . In short , the issue with SS7 is that the network believes whatever you tell it . SS7 is especially used for data-roaming : when a phone user goes outside their own provider 's coverage , messages still need to get routed to them . But anyone with SS7 access , which can be purchased for around 1000 Euros according to The Süddeutsche Zeitung , can send a routing request , and the network may not authenticate where the message is coming from . That allows the attacker to direct a target 's text messages to another device , and , in the case of the bank accounts , s teal Attack.Databreachany codes needed to login or greenlight money transfers ( after the hackers o btained Attack.Databreachvictim passwords ) . Although some telcos have taken steps to m itigate Vulnerability-related.PatchVulnerabilitythe issue , there are clearly still huge gaps for hackers to exploit . `` Everyone 's accounts protected by text-based two-factor authentication , such as bank accounts , are potentially at risk until the FCC and telecom industry f ix Vulnerability-related.PatchVulnerabilitythe devastating SS7 security flaw , '' Lieu said in a statement published Wednesday . `` I urge the Republican-controlled Congress to hold immediate hearings on this issue . '' In the meantime , and maybe irrespective of whether SS7 problems are ever f ixed,Vulnerability-related.PatchVulnerabilitysocial media companies , banks , and other online services need to stop using SMS-based two-factor authentication . Last year the National Institute of Standards and Technology said it was no longer recommending solutions that used SMS . Twitter does let users sign in with a code from Google Authenticator , an app on your smartphone that provides a more robust form of two-factor authentication , but the site apparently still sends those logging in an SMS code , which , in light of these recent SS7 attacks , totally undermines the extra security protections . Twitter did not immediately respond to a request for comment . Motherboard even recently published a piece telling general readers that they were likely fine with only SMS-based two-factor authentication , which focused on another type of attack and was based on the premise that non-state hackers were not widely using SS7 . That piece , clearly , is out of date . `` It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security , '' Lieu 's statement added .