A nasty new attack has recently come to light thanks to Motherboard/Vice: attackers silently redirecting your text messages so they can compromise your two-factor accounts that rely on text messaging.
The attacks use a legitimate text messaging management service designed to help businesses with marketing and mass messaging people. However, attackers are using this service to redirect your text messages and cause great harm.
How does this happen?
The process for signing up and verifying a victim’s phone number on a text management platform is shockingly easy. A little forgery on a Letter of Authorization form, a self-regulated process the FCC should be handling but doesn’t, and bam — the hacker is approved for redirection. There is no warning to the phone number owner before the redirection service’s activation goes live.
What’s more? Often, to attack a number, it can only cost the hacker $16 (reference). Companies providing redirection services are often aware of this but do not disclose itto owners using their services. When asked how an attack like this is possible, many companies are quick to deny claims and redirect questions to the trade organization for the wireless industry (CTIA).
Cellular phones have long since been victims of the attack, but SMS attacks have one key difference. In the past known attacks have used SIM swapping orSS7 attacks, and it is usually clear that your phone is being attacked because it will be completely disconnected from the cellular network. SMS redirection is different, because you may not know you’re being attacked as it won’t be clear that someone else is getting your text messages while voice still works, allowing hackers just enough time to take control of your accounts. The “silent,” invisible nature of SMS redirection is what makes it such a genuine and unique threat for individuals.
What is the primary security concern with SMS redirection attacks?
The main security concern is hackers gaining access to your accounts. The nature of SMS authentication is to verify account access and passwords. If hackers are instigating or intercepting this process, they gain access to the account(s) you were attempting to verify instead of you.
What should we learn from these new types of attacks?
SMS (text messaging) ideally should not be used for anything security-related or highly sensitive. If using two-factor authentication, it is better to use apps like Authy, Google Authenticator, or Microsoft Authenticator. Password managers that have 2FA support built-in are even better. We put together a list of our most recommended password managers here. For industries like banking that use SMS authentication as industry-standard, ensure that your passwords are unique and secure to protect access to your sensitive financial information.
UPDATE: T-Mobile, Verizon, AT&T Stop SMS Hijacks thanks to the Vice article as of 3/25/21. We still strongly recommend avoiding SMS for two-factor authentication.
Does your business use SMS two-factor authentication for anything sensitive? We’re here to help. Contact us here.