Signaling System No. 7 (SS7) is a communication protocol that has been used for decades to enable phone networks around the world to exchange information. It plays a key role in connecting calls, sending text messages, and many other functions.

Due to security issues surrounding SS7, malicious attackers could use it to:

1. intercept calls and text messages sent to your phone number;
2. prevent you from receiving phone calls and text messages; and
3. track your real-time location.

If you use SMS for two-step authentication on Stripe, an attacker can use this method to obtain your verification codes, thereby gaining access to your account.

Who can perform this kind of attack?

Every mobile carrier in the world has access to SS7 and could theoretically perform this attack. It only takes one rogue employee at one mobile carrier on the other side of the world for this attack to become a reality.

What do they need to attack me?

The attacker only needs to know your phone number. They can easily look it up in a phone book or find it in past data breaches.

How can I protect myself from SS7 attacks?

As long as SS7 remains in use by mobile networks, SS7 attacks are possible. The protocol is fundamentally flawed and cannot be fixed without being replaced worldwide. As such, there is no way to prevent SS7 attacks. The only way to protect your Stripe account from its harmful effects is to stop using text messages (SMS) for two-step authentication.

As long as SMS for two-step authentication is enabled, your account is at risk. You should enable an alternative method for two-step authentication, such as an authenticator app or a hardware security key, and then disable SMS.