US carriers close security loophole that allowed easy SMS hijack

Must read

How to disable and delete Samsung Pay from your Galaxy phone

When it comes to paying conveniently, Samsung Pay makes using your phone as a bank card an easy process; however, there may come...

Tribeca ‘A-ha: The Movie’ Review: A Rousing Take On A-ha’s Wildly Popular Discography

‘Take On Me’, the track that marked A-ha’s arrival in the music scene, is undeniably one of the greatest hits of...

PS5 restock update: Best Buy is ‘next’, but don’t expect the PS5 to be in stock today

Update: There's no PS5 restock at Best Buy today, June 20, but could be 'next' according to our PS5 restock Twitter tracker Matt...

B-town celebs who love scuba diving

Kriti Sanon to Varun Dhawan: B-town celebs who enjoy scuba diving Source link
Bhawani Singh
I am a blogger who believes in delivering latest tech news from around the world to my viewers.

Your phone and its associated number are always with you, and only you, so it makes sense that a text message sent to you is a solid secondary method for authenticating a login. But savvy tech users know this method of verification is rife for exploitation: SIM jacking, SS7 attacks, and other hacking methods are now common. A recent investigation showed that it’s possible to perform similar attacks with readily-available marketing tools, with the victim none the wiser.

Vice columnist Joseph Cox paid a semi-anonymous hacker going by “Lucky225” to try and gain access to his identity. Lucky came back with results almost immediately, logging in to Cox’s social media accounts on WhatsApp, Postmates, and Bumble, among others, using the common text message two factor authentication method. But unlike a conventional SIM jack attack, in which a hacker uses social engineering and other subtle methods to gain control of a victim’s number and leave their genuine phone without access to it, Lucky managed to rerout Cox’s number and incoming text messages while his phone remained operational. Cox hadn’t realized he was missing text messages until he was told.

This method used a commercial service called Sakari. It’s a legitimate business that forwards one’s text messages to a different device, aimed primarily at companies that want to use the SMS system for customer contact or marketing. Lucky submitted a phony Letter of Authorization indicating that they were the owner Cox’s phone number, along with $16 payment for the cheapest tier of Sakari service. That’s all it took for the researching hacker to re-route all of Cox’s incoming text messages to their hardware, leaving Cox in the dark, with a phone and connected accounts that didn’t show any signs of tampering.

Sakari is only one of a wide range of companies that offer similar services. Sakari uses a separate company, Bandwidth, which then connects with a third company, NetNumber, which operates the Override Service Registry, partnering with major carriers to allow forwarding and rerouting of text messages. All of these various services have legitimate uses, and using them for hacking is against their terms of service. Several companies and the CTIA are quoted in the Vice article as taking steps to protect against similar attacks, but specific methods aren’t outlined.

The extent to which this SMS rerouting technique is being used in the wild is not known. A representative of Okey Systems, which employs Lucky225, says it’s “absolutely” happening, and at least one company that offers similar services to Sakari says it’s stopped suspected fraud activity before. Lucky225 published their own article on Medium detailing the technical aspects of the white hat attack, and urging users not to rely on SMS for two factor authentication. Okey offers a monitoring service that says it can detect this specific method of rerouting.

If you’re concerned about something similar happening to you, there are ways to get around it. You can use a system besides text messages for two factor authentication, such as a physical security key or an authenticator app. (Of course, even those aren’t entirely safe from attack.) But plenty of social media and other companies have come to rely on basic SMS and email as a standard and presumably safe method, and don’t offer more sophisticated alternatives.

a report from Vice, major carriers have closed the security vulnerability that Lucky225 used in their demonstration. This will close off some of the functionality that companies like Sakari were using in legitimate ways, but it makes numbers on said carriers measurably safer for pretty much everyone. Aerialink,  yet another message forwarding company, claims that AT&T, T-Mobile, and Verizon have all reclaimed numbers using the overwritten numbers that could have been exploited in the same way.

The carriers, as well as the FCC and the CTIA, did not respond to inquiries. Presumably all of them are taking steps to mitigate the exposed vulnerabilities.

Source link

More articles

Leave a Reply

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

- Advertisement -

Latest article

Fitbit ‘reviewing’ options to turn off Minions badges

If you’re an active Fitbit user who’s recently had a day with some heavy step counts, you might have triggered a new activity...

I wish Danny Boyle had groomed us to be actors, says ‘Slumdog Millionaire’ actor Azhar | Hindi Movie News

Despite several hardships, the child actor from 'Slumdog Millionaire', Azhar Mohd Ismail is not giving up on his dream of being an actor....

Can old traditions and tech help Singapore reach zero waste?

Singapore sees its traditional rag and bone collectors as key to its sustainability plans. Source link

Save now on Amazon devices galore

All products featured here are independently selected by our editors and writers.If you buy something through links on our site, Mashable may earn...

UV Phone Sanitizers Are Everywhere, But Do They Work? Should You Buy One? – Review Geek

PhoneSoapPeople who are desperate to shake the germs off their outrageously dirty phones might be tempted to buy an $80 UV sanitizing booth. And...
- Advertisement -