This story was originally published and last updated .
Your phone and its associated number are always with you, and only you, so it makes sense that a text message sent to you is a solid secondary method for authenticating a login. But savvy tech users know this method of verification is rife for exploitation: SIM jacking, SS7 attacks, and other hacking methods are now common. A recent investigation showed that it’s possible to perform similar attacks with readily-available marketing tools, with the victim none the wiser.
Vice columnist Joseph Cox paid a semi-anonymous hacker going by “Lucky225” to try and gain access to his identity. Lucky came back with results almost immediately, logging in to Cox’s social media accounts on WhatsApp, Postmates, and Bumble, among others, using the common text message two factor authentication method. But unlike a conventional SIM jack attack, in which a hacker uses social engineering and other subtle methods to gain control of a victim’s number and leave their genuine phone without access to it, Lucky managed to rerout Cox’s number and incoming text messages while his phone remained operational. Cox hadn’t realized he was missing text messages until he was told.
This method used a commercial service called Sakari. It’s a legitimate business that forwards one’s text messages to a different device, aimed primarily at companies that want to use the SMS system for customer contact or marketing. Lucky submitted a phony Letter of Authorization indicating that they were the owner Cox’s phone number, along with $16 payment for the cheapest tier of Sakari service. That’s all it took for the researching hacker to re-route all of Cox’s incoming text messages to their hardware, leaving Cox in the dark, with a phone and connected accounts that didn’t show any signs of tampering.
Sakari is only one of a wide range of companies that offer similar services. Sakari uses a separate company, Bandwidth, which then connects with a third company, NetNumber, which operates the Override Service Registry, partnering with major carriers to allow forwarding and rerouting of text messages. All of these various services have legitimate uses, and using them for hacking is against their terms of service. Several companies and the CTIA are quoted in the Vice article as taking steps to protect against similar attacks, but specific methods aren’t outlined.
The extent to which this SMS rerouting technique is being used in the wild is not known. A representative of Okey Systems, which employs Lucky225, says it’s “absolutely” happening, and at least one company that offers similar services to Sakari says it’s stopped suspected fraud activity before. Lucky225 published their own article on Medium detailing the technical aspects of the white hat attack, and urging users not to rely on SMS for two factor authentication. Okey offers a monitoring service that says it can detect this specific method of rerouting.
If you’re concerned about something similar happening to you, there are ways to get around it. You can use a system besides text messages for two factor authentication, such as a physical security key or an authenticator app. (Of course, even those aren’t entirely safe from attack.) But plenty of social media and other companies have come to rely on basic SMS and email as a standard and presumably safe method, and don’t offer more sophisticated alternatives.
AT&T, T-Mobile, and Verizon close security holes
According to a report from Vice, major carriers have closed the security vulnerability that Lucky225 used in their demonstration. This will close off some of the functionality that companies like Sakari were using in legitimate ways, but it makes numbers on said carriers measurably safer for pretty much everyone. Aerialink, yet another message forwarding company, claims that AT&T, T-Mobile, and Verizon have all reclaimed numbers using the overwritten numbers that could have been exploited in the same way.
The carriers, as well as the FCC and the CTIA, did not respond to inquiries. Presumably all of them are taking steps to mitigate the exposed vulnerabilities.