Security

American Telcos Fix Their Systems to Prevent $16 SMS Hijacking

By Bill Toulas / March 26, 2021
sms

Ten days ago, Vice conducted an investigation where they proved that all they needed to do in order to hijack the SMS of any subscriber was paying a hacker $16. The pseudonymous person acted swiftly, stealthily, and effortlessly, providing the SMS messages of the Vice journalist and not even having to perform any SIM swaps or anything extremely sophisticated like exploiting SS7 network flaws.

He/she just signed up on an otherwise legitimate mass messaging marketing service, and by exploiting a security gap, managed to reroute the said SMS messages.

Now, the same publication is reporting that telcos are eventually plugging that hole. The announcement that confirms the fix came from Aerialink and mentioned the following:

The Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their respective wireless numbers. The change is industry-wide and affects all SMS providers in the mobile ecosystem. Be aware that Verizon, T-Mobile, and AT&T have reclaimed overwritten text-enabled wireless numbers industry-wide. As a result, any Verizon, T-Mobile, or AT&T wireless numbers which had been text-enabled as BYON no longer route messaging traffic through the Aerialink Gateway.

The telcos themselves, or the FCC, which is their governing body, haven’t provided any comments to Motherboard, so this was a somewhat “silent” fix with nobody feeling the need to say anything about it. It is extremely unlikely, though, that the FCC will just let this pass, and we expect the authority to launch an investigation and impose fines on the telcos.

From the side of the software that was abused, the co-founder of the vendor has stated the following:

We welcome this news and hope the rest of the industry follows suit. It has always been our policy at Sakari to only support the text-enablement of VoIP and landline phone numbers, and as soon as the industry issue was raised we placed a complete block on any mobile numbers. As part of our internal audit, other than Lucky225’s account (the hacker’s), we found no other mobile numbers enabled.

Having SMS messages rerouted to anyone who can subscribe to a third-party’s platform can obviously have dire consequences for the security of any accounts that happen to use 2FA linked to these numbers. This can potentially open Pandora’s box in terms of people’s privacy. The hacker who has performed the demonstration for Vice proved that taking over several of the target's accounts this way would be fairly easy.

If you need a takeaway from all this, that would be that SMS is not a secure method of 2FA, and you should prefer an authenticator app or a physical key instead. If you have no other option, use a private number that is not linked to your identity, is not known by others, and is not used for any other purpose than 2FA.

Latest Articles

Add a Comment
Related Posts

FCC Reveals that US Telcos were Selling User Location Data


February 1, 2020

Google Is Taking Steps to Prevent Geo-Tag Hijacking on Android 11


August 21, 2020

Signal Takes Another Step to Protect People's Anonymity


June 4, 2020

American Startup Is Paying People $500 to Give Away Their Payroll Credentials


May 11, 2021

UK Tax Service Exposed Thousands Through Careless Bulk SMS Operation


March 23, 2021

Dubai to Introduce Facial Recognition Systems on Public Transport


October 26, 2020

© TechNadu 2024. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari