'A Hacker Got All My Texts For $16' (vice.com) 40
An anonymous reader quotes a report from Motherboard, written by Joseph Cox: I didn't expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me. Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. Nothing was unusual there. But the hacker had swiftly, stealthily, and largely effortlessly redirected my text messages to themselves. And all for just $16.
I hadn't been SIM swapped, where hackers trick or bribe telecom employees to port a target's phone number to their own SIM card. Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him. This overlooked attack vector shows not only how unregulated commercial SMS tools are but also how there are gaping holes in our telecommunications infrastructure, with a hacker sometimes just having to pinky swear they have the consent of the target. "I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info," said Lucky225, the pseudonymous hacker who carried out the attack, referring to a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers.
In a statement to Motherboard, Senator Ron Wyden said: "It's not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai's approach of industry self-regulation clearly failed."
I hadn't been SIM swapped, where hackers trick or bribe telecom employees to port a target's phone number to their own SIM card. Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him. This overlooked attack vector shows not only how unregulated commercial SMS tools are but also how there are gaping holes in our telecommunications infrastructure, with a hacker sometimes just having to pinky swear they have the consent of the target. "I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info," said Lucky225, the pseudonymous hacker who carried out the attack, referring to a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers.
In a statement to Motherboard, Senator Ron Wyden said: "It's not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai's approach of industry self-regulation clearly failed."
Don't forget (Score:4, Funny)
Hey everyone, don't forget to add your phone number as a recovery address to $POPULAR_WEB_SERVICE today! This is important for security! :-)
Re: (Score:2)
dumb ass.
when a hacker shows that they have tapped into your phone line.
call the f b i
Wow, lucky that’s all they took (Score:3)
Re: (Score:2)
I've only run into one consumer-focused financial services company that lets you use a more typical MFA app for authentication, all the rest are text based.
I've always wondered why that is, besides the over-simple "cost" answer.
Re: (Score:2)
Support costs. How do you securely give someone access to their account when they lose their TOTP seed? Which is going to happen all the time if supported.
Re: (Score:2)
I mean they authenticate you a bunch of different ways now, I assume one (or more than one) of them could be used to reset your MFA status.
Customer service cost, not tech cost (Score:5, Informative)
There are a number of free apps that implement the HOTP and TOTP 2fa protocols, such as Google Authenticator and Microsoft Authenticator, as well as a dozen others. Again, the apps are free.
Google provides open-source server-side code*, so that's free too (though you'll probably want to wrap your own GUI around it for your customer service folks). I'm sure there are other open source implementations as well.
The cost, therefore isn't in buying the 2FA system. Many / most of the bank's customers probably *already* have a compatible app installed.
That leads to two possibilities:
Lots of companies sell 2FA apps and servers and do charge per user. A lot of companies won't use open source because management thinks "how can it be any good if it's free?" I've heard them actually say that out loud. Maybe I should ask them which browser they bought.
Of course, the SMS based 2FA *always* cost money.
Which leads a lot of managers to think they must be better.
There is a cost of customer service dealing with customers who don't understand "open the app, click plus, point your phone at the QR code". Or later forget how to use it - open the app and see which code you need to type in.
The customer service cost may be more with a 2FA app then with text messages.
* The Google open source code should not be used without the assistance of a security professional in integrating it. I actually ended up re-writing half of it for better security. But then again that's what I do for a living - find and fix security weaknesses. So I'm not saying their code sucks, just saying I can't fully endorse it, and you shouldn't just slap it on a server without involving a security professional.
Re:Customer service cost, not tech cost (Score:4, Insightful)
Re: (Score:2)
Exactly. I'll occasionally have to explain it to a user, walk then through it. Helpdesk is supposed to do that, but occasionally I end up doing it.
The various app-based 2FA systems do have the issue of how to securely share the key in the first place, how to do enrollment.
Ideally you'd have the user physically present at the office / bank and check their ID, tu n let them scan the QR code or whatever.
Re: (Score:2)
Arithmetic won't change (Score:3)
> who is going to be confident that Google Authenticator or even the protocols behind it will still work in 30 years?
Google Authenticator doesn't use a Google server for anything.
It's really just a calculator app. And there are a dozen others that do the exact same math, so they are interchangable. Meaning different users of my 2FA system use different apps. I don't know it care which app they use to authenticate to my network. So that's not going anywhere. If all the apps did disappear, and I wanted
Re: (Score:2)
"More likely" broken is true, I suppose.
To formally show it's broken, you need to show that you can generate a collision with probability non-trivially greater than chance.
Non-trivially meaning if it's theoretically 1 in 2^256, it's not a break to show you can do it in (2^256) - 1. Because that's still the same value for all practical purposes.
Re: (Score:2)
True, but try explaining to grandma how to use Google authenticator. Phone calls are still easier for the technology challenged.
"Grandma", is starting to refer to someone who's probably been using the internet and owned a cellular phone since she was just called "Mom".
I look forward to when we can perhaps stop using such excuses for the elderly who are allegedly so computer illiterate that the concept of an authenticator is lost on them (as they ironically school Gen-Z on what a pager is). This is the Manually Operated Generation. To say they're used to taking a few extra steps in life, is putting it mildly.
If the elderly person w
Re: (Score:2)
Re: (Score:2)
> this "hacker" beat 2fa by diverting the SMS to another phone through ... number portability
Well yes. Hacking is using a system to do things it wasn't intended to do. This person hacked the number portability system in order to hack the other systems.
I may be misinterpreting because there is no time of voice in text, but I'm reading your message in a particular tone. It seems to me you might be thinking "that's not hacking - he cheated". Perhaps because you think of hacking as being strictly computer s
Re: (Score:2)
Re: (Score:2)
> However this could easily have been stopped if the original company simply checked with the original owner with a confirmation text before they switched
It would be illegal for the company that legitimately services the number to try to stop it. The onus for identifying the customer is on the new company. But the bad guy gets to choose the new company, and can choose the crappiest fly-by-night VoIP operator.
> As for this type of "hack" I consider it more of a fraudulent action due to it requiring de
Re: Wow, lucky that’s all they took (Score:2)
I have 3 (vanguard, principal, and Robinhood).
Unfortunately only Robinhood seems to block fallback to SMS authorization, greatly minimizing the use of have a dongle for 2fa.
Comment removed (Score:5, Insightful)
Re: (Score:2)
So much for 2FA (Score:1)
This puts SMS as an authentication mechanism into question. Sounds pretty easy to steal these sensitive logins now.
Re: (Score:3)
SMS shouldn't have been used as a second factor. NIST updated their guidelines in 2016 deprecating SMS based two factor authentication [slashdot.org].
For various reasons, SMS is bad - not just SIM swapping, but various exploits of SS7 pretty much make it unsafe.
This was big news years ago with people thinking NIST was being paid off to say that, but I guess the eggheads there know what they're talking about.
Re: (Score:2)
There is a simple way to minimize this sort of thi (Score:3, Informative)
Stop using Bumble
Stop using PostMates
Stop using Twitter
Stop using FaceBook
Stop using Zoom
Stop spending all of your time on line
Get a life
Re: (Score:2)
Do I stop online banking also?
Re: (Score:2)
Arguably, using Bumble is a way to GET a life. Most people these days meet by online dating. Especially in the middle of a pandemic.
Also Twitter can use (only uses?) 2FA with a generated code, not an SMS, so that's fine too.
People use Zoom for work. I don't think it's reasonable for you to tell people to stop using that.
Honestly, stop telling people how they're supposed to enjoy their own time. If you're a company, just make it minimally safe for people to use your service. Take our security as seriously as
Re: (Score:2)
You first since you're online with /.. :P
Re: (Score:2)
All these apps are part of having a life you luddite
Re: (Score:2)
Re: (Score:2)
You're a luddite because you don't understand new technology. Explaining your experience is from 35 years ago and you couldn't imagine anything newer doesn't really help your case.
Telecom and SMS (Score:2)
So, this is not really an issue with the cell phone providers, but the company that hosts the database of where phone numbers are pointed.
When congress forced the telephone companies to allow customers to keep their numbers when they change providers (called number porting), they appointed a company that eventually became known as NeuStar to be the official "record keeper" of phone numbers in North America. Essentially, they manage the database of all the phone numbers in NA and have entries for Voice call
I will Sell Mine for $15 (Score:2)
Serious offer. Emails and FB messages negotiable.