So, you think your two-factor codes or login links are safe when you receive them via text messages? Well, it’s time to think again as according to reports, there is a new kind of attack being carried out through SMS messaging which puts such information at risk and the worst part is victims can’t even see when they are being targeted.
As revealed by Motherboard first, the attackers are successfully redirecting messages coming from various services or businesses that have text-messaging management services, as a part of their security. And by doing so, the hackers get access to any of the two-factor codes or login links that are being sent to the victim through any text message.
The companies don’t even notify the number which is targeted to be redirected and this way, the attackers don’t only receive the all-important incoming text messages, but they have the advantage of replying on behalf of the real recipient as well.
As of now, Joseph Cox, who has reported a similar attack from Motherboard, first caught his messages being redirected and upon diving deep into the matter, he came to know that it only costs $16 for the attacker to perform such a scam. After that, Joseph contacted other companies as well who provide him SMS redirection services and some of them claimed that such an attack has occurred through their systems before.
While fortunately, the company that Motherboard used has fixed its own system for any kind of exploit to occur again but there are still many and no one is holding them accountable for the scam.
Moreover, when telecom companies like AT&T and Verizon are asked about the issue they simply ask to contact CTIA (the trade organization for the wireless industry) for the following matter. CTIA, in return, remains unavailable for comment, but one of the representatives told Motherboard that they haven’t seen any indications of such malicious activity.
Hackers in the past have continuously been successful in exploiting the SMS and cellular systems in many ways for the sake of redirecting people’s texts to themselves. Some of the more popular scams were based on SIM swapping and SS7 attacks which even turned out to be effective for high-profile targets.
However, SIM swapping wasn’t as smooth as SMS redirection, as the victim was easily able to identify when they were being targeted as the phone gets completely disconnected from the cellular network in the process. Whereas, with SMS redirection, it takes some time for the victim to know if their messages are being sent somewhere else and that time is enough for the hackers to get what they want.
The biggest concern with SMS attacks is that nowadays a lot of other messaging or social media platforms are connected to the numbers. Hence, if an attacker gets successful at receiving the password reset link or code sent to your phone number, then they can potentially have access to all of your private information available on and off the internet.
All in all, we think this scam is a great reminder of how we all can no longer trust SMS for the security of our accounts. There are now better solutions in the form of apps like Google Authenticator or Authy. But then again, it is services and companies which only use text messages as a second factor to incorporate such apps into their systems. Or else the cellular industry needs to make itself more secure.
Illustration: Upklyak/ Freepik
Read next: How Easily Your Information Is Exploited On the Dark Web
As revealed by Motherboard first, the attackers are successfully redirecting messages coming from various services or businesses that have text-messaging management services, as a part of their security. And by doing so, the hackers get access to any of the two-factor codes or login links that are being sent to the victim through any text message.
The companies don’t even notify the number which is targeted to be redirected and this way, the attackers don’t only receive the all-important incoming text messages, but they have the advantage of replying on behalf of the real recipient as well.
As of now, Joseph Cox, who has reported a similar attack from Motherboard, first caught his messages being redirected and upon diving deep into the matter, he came to know that it only costs $16 for the attacker to perform such a scam. After that, Joseph contacted other companies as well who provide him SMS redirection services and some of them claimed that such an attack has occurred through their systems before.
While fortunately, the company that Motherboard used has fixed its own system for any kind of exploit to occur again but there are still many and no one is holding them accountable for the scam.
Moreover, when telecom companies like AT&T and Verizon are asked about the issue they simply ask to contact CTIA (the trade organization for the wireless industry) for the following matter. CTIA, in return, remains unavailable for comment, but one of the representatives told Motherboard that they haven’t seen any indications of such malicious activity.
Hackers in the past have continuously been successful in exploiting the SMS and cellular systems in many ways for the sake of redirecting people’s texts to themselves. Some of the more popular scams were based on SIM swapping and SS7 attacks which even turned out to be effective for high-profile targets.
However, SIM swapping wasn’t as smooth as SMS redirection, as the victim was easily able to identify when they were being targeted as the phone gets completely disconnected from the cellular network in the process. Whereas, with SMS redirection, it takes some time for the victim to know if their messages are being sent somewhere else and that time is enough for the hackers to get what they want.
The biggest concern with SMS attacks is that nowadays a lot of other messaging or social media platforms are connected to the numbers. Hence, if an attacker gets successful at receiving the password reset link or code sent to your phone number, then they can potentially have access to all of your private information available on and off the internet.
All in all, we think this scam is a great reminder of how we all can no longer trust SMS for the security of our accounts. There are now better solutions in the form of apps like Google Authenticator or Authy. But then again, it is services and companies which only use text messages as a second factor to incorporate such apps into their systems. Or else the cellular industry needs to make itself more secure.
Read next: How Easily Your Information Is Exploited On the Dark Web
