There is a newfound attack on text messages that are almost invisible to victims, and apparently approved by the telecommunications industry, which is reported in a report by Motherboard. The attack uses text message management services aimed at businesses to divert text messages from a victim to hackers in silence, giving them access to any two-factor codes or login links sent via text message.
Sometimes the companies that provide the service do not send a message to the number being sent, either to ask permission or even to notify the owner that their texts are now going to someone else. With these services, attackers can not only intercept incoming text messages, but can also reply to them.
Joseph Cox, who Motherboard reporter, if someone successfully carried out the attack on his number, and it cost the attacker only $ 16. When he contacted other companies that provide SMS redirection services, some of them reported that they had seen this type of attack before.
The specific company that Motherboard use has allegedly corrected the exploitation, but there are many others like it – and no one seems to hold the companies liable. When asked why this type of attack is even possible, AT&T and Verizon simply addressed The edge to contact CTIA, the trade organization for the wireless industry. CTIA was not immediately available for comment, but it said Motherboard that it has ‘no indication of any malicious activity involving the potential threat or that customers have been affected.’
Hackers have found many ways to use SMS and cellular systems to access other people’s texts. Methods such as SIM exchange and SS7 attacks have been seen in nature for several years and are sometimes even used at high target. But with SIM exchange, it’s pretty easy to say you’re being attacked: your phone will completely disconnect from the mobile network. But with SMS redirection, it can take a while before you realize that someone else is receiving your messages – more than enough time for attackers to compromise your accounts.
The biggest concern with SMS attacks is the consequences it can have for the security of your other accounts. If an attacker could send a link or code reset to your password to your phone number, they would be able to access it and log into your account. SMSs are also sometimes used to send login links, such as Motherboard found at Postmates, WhatsApp and Bumble.
It also serves as a reminder that SMS should be avoided for any security related, if possible – for two-factor authentication it is better to use an app like Google Authenticator or Authy. Some password managers even have built-in 2FA support, such as 1Password or many of the other free drivers we recommend. It is said that there are still services and businesses that only use texting as a second factor – the banking industry is notorious for that. For these services, you want to make sure that your password is secure and unique, and then press both so that they can move away from SMS and that the cellular industry needs to work to make itself more secure.