Businesses can silently redirect your texts to hackers, sometimes for just $ 16



[ad_1]

There is a recently discovered attack on SMS messages that is almost invisible to victims and appears to be sanctioned by the telecommunications industry, revealed in a report by Motherboard. The attack uses text messaging management services aimed at businesses to silently redirect a victim’s text messages to hackers, giving them access to any two-factor codes or login links sent via SMS.

Sometimes the companies providing the service do not send any sort of message to the number that is redirected, either asking for permission or even letting the owner know that their text messages are now going to someone else. By using these services, attackers can not only intercept incoming text messages, but they can also respond.

Joseph Cox, the Motherboard reporter, asked someone to carry out the attack on his number, and it only cost the attacker $ 16. When he contacted other companies providing SMS redirect services, some of them said they had witnessed this type of attack before.

The specific company that Motherboard used would have fixed the exploit, but there are plenty more like it – and there doesn’t seem to be anyone holding companies to account. When asked why this type of attack is even possible, AT&T and Verizon simply directed The edge to contact CTIA, the professional organization for the wireless industry. CTIA was not immediately available for comment, but he said Motherboard this it had “no indication of malicious activity involving the potential threat or that customers had been affected.”

Hackers have found many ways to exploit SMS and cellular systems to access other people’s texts – methods such as SIM swapping and SS7 attacks have been seen in the wild for a few years now. and have sometimes even been used against high level targets. But with the exchange of SIM cards, it is quite easy to tell that you are under attack: your phone will completely disconnect from the cellular network. But with SMS redirect, it may take some time before you notice someone else is receiving your messages – more than enough time for attackers to compromise your accounts.

The main concern with SMS attacks is the implications they might have on the security of your other accounts. If an attacker is able to get a password reset link or code sent to your phone number, then they will gain access and be able to access your account. Text messages are also sometimes used to send connection links, like Motherboard found with Postmates, WhatsApp and Bumble.

It also serves as a reminder that texting should be avoided for anything security related, if possible – for two-factor authentication, it’s best to use an app like Google Authenticator or Authy. Some password managers even support 2FA, like 1Password or many other free managers that we recommend. That said, there are still services and businesses that only use SMS as a second factor – the banking industry is infamous for it. For these services, you’ll want to make sure your password is secure and unique, and then push both to move away from texting and for the cell industry to work on making itself more secure.

[ad_2]

Source link