There is a newly discovered attack on SMS messages that is almost invisible to victims and apparently sanctioned by the telecommunications industry, revealed in a report by Motherboard. The attack uses text message management services aimed at companies to silently redirect a victim’s text messages to hackers, giving them access to any two-factor codes or login links sent by text message.
Sometimes, the companies providing the service do not send any type of message to the number being redirected, either to ask for permission or even to notify the owner that their texts are now going to someone else. Using these services, attackers are not only able to intercept incoming text messages, but can also respond.
Joseph Cox, the Motherboard reporter, someone carried out the attack on his number successfully, and it only cost the attacker $ 16. When he contacted other companies that provide SMS redirection services, some of them reported that they had seen this type of attack before.
The specific company that Motherboard used supposedly fixed the exploit, but there are many others like it – and there doesn’t seem to be anyone holding companies accountable. When asked why this type of attack is possible, AT&T and Verizon simply directed The Verge to contact CTIA, the wireless industry business organization CTIA was not immediately available for comment, but said Motherboard what it had “no indication of any malicious activity involving the potential threat or that a customer has been affected”.
Hackers have found many ways to exploit SMS and cellular systems to access other people’s texts – methods like SIM exchange and SS7 attacks have been seen on the loose for a few years and sometimes even used against high-profile targets. But with the exchange of SIM, it is very easy to say that you are being attacked: your phone will disconnect completely from the cellular network. But with SMS redirection, it can take a while before you realize that someone else is receiving your messages – more than enough time for attackers to compromise your accounts.
The main concern with SMS attacks is the implications they can have for the security of your other accounts. If an attacker is able to obtain a link or password reset code sent to your phone number, they will have access to it and will be able to log into your account. Sometimes text messages are also used to send login links, such as Motherboard found with Postmates, WhatsApp and Bumble.
This also serves as a reminder that SMS should be avoided for anything related to security, if possible – for two-factor authentication, it is best to use an application like Google Authenticator or Authy. Some password managers have support for 2FA built-in, such as 1Password or many of the other free managers we recommend. That said, there are still services and companies that use text messaging only as a second factor – the banking industry is famous for that. For these services, you will want to make sure your password is secure and unique and then push them to stop using SMS and for the mobile industry to work to become more secure.