- Some attacks made possible through SMS services are approved by the telecom industry.
- If two-factor authentication is to be applied, it should not be done through SMS.
What is the attack about?
According to a report by Motherboard, a new attacking method has been revealed on Short messaging services (SMS) which seemingly cannot be understood by the victim. What’s more? Such an attack gets approval from the telecom industry itself. In this attack, the SMS is silently forwarded from the user to the hackers which gives them access to two-factor (2FA) authentication, what we know as OTP today or login links. These attacks are generally aimed at businesses but the victims are generally the consumers.
In some situations, companies that provide the services, don’t send any type of messages to the number that is being redirected. Either to ask for any kind of permissions or to notify the user about the redirection of the messages. Using this kind of attack, the attackers can intercept the messages and also send a reply if need be.
The research behind the attack:
The reporter of Motherboard, Joseph Cox, made someone carry out the attack successfully on his own number. And the entire process cost him just $16. When he contacted the companies that provide SMS redirection, some of them agreed to have seen such an attack previously. The company, who Cox contacted, fixed the issue but there are other companies similar to this one. And there is no one to hold these companies accountable for such attacks.
What popular telecom companies have to say?
When the companies like AT&T and Verizon were asked about such attacks and the reason behind them, they asked the reporters to contact CTIA. CTIA happens to be the trade organization for the wireless industry. CTIA did not respond or comment to the questions, immediately. But, they told that they had “no indication of any malicious activity involving the potential threat or that any customers were impacted.”
There have been so many attacks successfully attempted in so many ways by hackers. And now, the same hackers have successfully managed to hack the SMS. They’ve intercepted them and have exploited the cellular systems to receive other people’s texts. Hackers have been using techniques like SIM swapping and SS7 attacks for years now and sometimes high-profile targets have also been a victim to these methods.
When it comes to SIM swapping, it becomes easy to tell that the user is under an attack. The phone disconnects from the network completely. But when it comes to SMS redirection, it may take sometime before you notice that someone else is receiving the messages that you are supposed to get. And this time window is more than enough for the hackers to compromise the accounts associated with your number.
The basic concern with these kinds of SMS attacks is that they could compromise the security of your other accounts that are linked to the number you use. If an attacker can get a password reset link or a code that is sent to your number through SMS, they can get a hold of your entire account and access it scot-free. So many companies send SMS messages for sending login links. Some of the companies that do this are Whatsapp, Bumble, and Postmates.
This works as a reminder that in order to use two-factor authentication, you need to use Google Authenticator or Authy. SMS authentication should be avoided at all costs. Yet, there are companies that use text messages for the second authentication method. This includes banks and banking systems – the most vulnerable system.