Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security

'A Hacker Got All My Texts For $16' (vice.com) 40

An anonymous reader quotes a report from Motherboard, written by Joseph Cox: I didn't expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me. Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. Nothing was unusual there. But the hacker had swiftly, stealthily, and largely effortlessly redirected my text messages to themselves. And all for just $16.

I hadn't been SIM swapped, where hackers trick or bribe telecom employees to port a target's phone number to their own SIM card. Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him. This overlooked attack vector shows not only how unregulated commercial SMS tools are but also how there are gaping holes in our telecommunications infrastructure, with a hacker sometimes just having to pinky swear they have the consent of the target.
"I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info," said Lucky225, the pseudonymous hacker who carried out the attack, referring to a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers.

In a statement to Motherboard, Senator Ron Wyden said: "It's not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai's approach of industry self-regulation clearly failed."
This discussion has been archived. No new comments can be posted.

'A Hacker Got All My Texts For $16'

Comments Filter:
  • by GameboyRMH ( 1153867 ) <gameboyrmh@@@gmail...com> on Monday March 15, 2021 @04:11PM (#61162204) Journal

    Hey everyone, don't forget to add your phone number as a recovery address to $POPULAR_WEB_SERVICE today! This is important for security! :-)

  • by iamhassi ( 659463 ) on Monday March 15, 2021 @04:13PM (#61162210) Journal
    Many services just use phone as a second form of authorization. I know many banks, credit cards, domain name services, and hosting providers that use phone for authorization. Losing your instagram account is bad, but having your bank account cleaned out or your online business taken over is much worse.
    • I've only run into one consumer-focused financial services company that lets you use a more typical MFA app for authentication, all the rest are text based.

      I've always wondered why that is, besides the over-simple "cost" answer.

      • by ahodgson ( 74077 )

        Support costs. How do you securely give someone access to their account when they lose their TOTP seed? Which is going to happen all the time if supported.

        • I mean they authenticate you a bunch of different ways now, I assume one (or more than one) of them could be used to reset your MFA status.

      • by raymorris ( 2726007 ) on Monday March 15, 2021 @04:29PM (#61162278) Journal

        There are a number of free apps that implement the HOTP and TOTP 2fa protocols, such as Google Authenticator and Microsoft Authenticator, as well as a dozen others. Again, the apps are free.

        Google provides open-source server-side code*, so that's free too (though you'll probably want to wrap your own GUI around it for your customer service folks). I'm sure there are other open source implementations as well.

        The cost, therefore isn't in buying the 2FA system. Many / most of the bank's customers probably *already* have a compatible app installed.

        That leads to two possibilities:
        Lots of companies sell 2FA apps and servers and do charge per user. A lot of companies won't use open source because management thinks "how can it be any good if it's free?" I've heard them actually say that out loud. Maybe I should ask them which browser they bought.

        Of course, the SMS based 2FA *always* cost money.
        Which leads a lot of managers to think they must be better.

        There is a cost of customer service dealing with customers who don't understand "open the app, click plus, point your phone at the QR code". Or later forget how to use it - open the app and see which code you need to type in.
        The customer service cost may be more with a 2FA app then with text messages.

        * The Google open source code should not be used without the assistance of a security professional in integrating it. I actually ended up re-writing half of it for better security. But then again that's what I do for a living - find and fix security weaknesses. So I'm not saying their code sucks, just saying I can't fully endorse it, and you shouldn't just slap it on a server without involving a security professional.

        • by iamhassi ( 659463 ) on Monday March 15, 2021 @04:35PM (#61162314) Journal
          True, but try explaining to grandma how to use Google authenticator. Phone calls are still easier for the technology challenged.
          • Exactly. I'll occasionally have to explain it to a user, walk then through it. Helpdesk is supposed to do that, but occasionally I end up doing it.

            The various app-based 2FA systems do have the issue of how to securely share the key in the first place, how to do enrollment.
            Ideally you'd have the user physically present at the office / bank and check their ID, tu n let them scan the QR code or whatever.

          • by jythie ( 914043 )
            Not only that but 'phone calls' have not really changed much in the last, what, half century? 2FA is still pretty flavor of the month. If you have a short time horizon or take the upgrade treadmill as just a part of their life already, then it gets a lot less attractive for non-techie users. Google struggles to keep compatible systems running for more than a year or two, who is going to be confident that Google Authenticator or even the protocols behind it will still work in 30 years?
            • > who is going to be confident that Google Authenticator or even the protocols behind it will still work in 30 years?

              Google Authenticator doesn't use a Google server for anything.
              It's really just a calculator app. And there are a dozen others that do the exact same math, so they are interchangable. Meaning different users of my 2FA system use different apps. I don't know it care which app they use to authenticate to my network. So that's not going anywhere. If all the apps did disappear, and I wanted

          • True, but try explaining to grandma how to use Google authenticator. Phone calls are still easier for the technology challenged.

            "Grandma", is starting to refer to someone who's probably been using the internet and owned a cellular phone since she was just called "Mom".

            I look forward to when we can perhaps stop using such excuses for the elderly who are allegedly so computer illiterate that the concept of an authenticator is lost on them (as they ironically school Gen-Z on what a pager is). This is the Manually Operated Generation. To say they're used to taking a few extra steps in life, is putting it mildly.

            If the elderly person w

        • by vlad30 ( 44644 )
          Unless I am missing something this "hacker" beat 2fa by diverting the SMS to another phone through a corporate entity that didn't check whether or not the legal owner and by the fact number portability was brought in so consumers owned their number and were not inconvenienced when moving providers for better deals this is the "Hack" which to me looks more of a fraud which should go to the FBI.
          • > this "hacker" beat 2fa by diverting the SMS to another phone through ... number portability

            Well yes. Hacking is using a system to do things it wasn't intended to do. This person hacked the number portability system in order to hack the other systems.

            I may be misinterpreting because there is no time of voice in text, but I'm reading your message in a particular tone. It seems to me you might be thinking "that's not hacking - he cheated". Perhaps because you think of hacking as being strictly computer s

            • by vlad30 ( 44644 )
              Actually after reading the article it was a authorised "Hack" by a security professional to show how easy it could be done easily now the method is out there unscrupulous people will use it. As for this type of "hack" I consider it more of a fraudulent action due to it requiring deceit and illegally filling out a form if the payment was made with a stolen credit card it would be reversed once the company was informed however the damage is done very quickly. It is easy to change easy to find info for instanc
              • > However this could easily have been stopped if the original company simply checked with the original owner with a confirmation text before they switched

                It would be illegal for the company that legitimately services the number to try to stop it. The onus for identifying the customer is on the new company. But the bad guy gets to choose the new company, and can choose the crappiest fly-by-night VoIP operator.

                > As for this type of "hack" I consider it more of a fraudulent action due to it requiring de

      • I have 3 (vanguard, principal, and Robinhood).

        Unfortunately only Robinhood seems to block fallback to SMS authorization, greatly minimizing the use of have a dongle for 2fa.

  • This puts SMS as an authentication mechanism into question. Sounds pretty easy to steal these sensitive logins now.

    • by tlhIngan ( 30335 )

      This puts SMS as an authentication mechanism into question. Sounds pretty easy to steal these sensitive logins now.

      SMS shouldn't have been used as a second factor. NIST updated their guidelines in 2016 deprecating SMS based two factor authentication [slashdot.org].

      For various reasons, SMS is bad - not just SIM swapping, but various exploits of SS7 pretty much make it unsafe.

      This was big news years ago with people thinking NIST was being paid off to say that, but I guess the eggheads there know what they're talking about.

    • WTF? SMS hasn't been a recommended authentication mechanism for at least a decade and has been actively warned against for at least 5 years. this is only one of many flawes in SMS. pretty much any company or government that cares about security ditched SMS a long LONG time ago.
  • by Otis B. Dilroy III ( 2110816 ) on Monday March 15, 2021 @04:56PM (#61162396)
    Stop using Google Hangouts
    Stop using Bumble
    Stop using PostMates
    Stop using Twitter
    Stop using FaceBook
    Stop using Zoom
    Stop spending all of your time on line
    Get a life
    • Do I stop online banking also?

    • Arguably, using Bumble is a way to GET a life. Most people these days meet by online dating. Especially in the middle of a pandemic.

      Also Twitter can use (only uses?) 2FA with a generated code, not an SMS, so that's fine too.

      People use Zoom for work. I don't think it's reasonable for you to tell people to stop using that.

      Honestly, stop telling people how they're supposed to enjoy their own time. If you're a company, just make it minimally safe for people to use your service. Take our security as seriously as

    • by antdude ( 79039 )

      You first since you're online with /.. :P

    • by Ksevio ( 865461 )

      All these apps are part of having a life you luddite

      • This Luddite started writing software, post graduation, in 1985. My generation built the internet. None of us, However, imagined that it would facilitate such obvious morons as your self...
        • by Ksevio ( 865461 )

          You're a luddite because you don't understand new technology. Explaining your experience is from 35 years ago and you couldn't imagine anything newer doesn't really help your case.

  • So, this is not really an issue with the cell phone providers, but the company that hosts the database of where phone numbers are pointed.

    When congress forced the telephone companies to allow customers to keep their numbers when they change providers (called number porting), they appointed a company that eventually became known as NeuStar to be the official "record keeper" of phone numbers in North America. Essentially, they manage the database of all the phone numbers in NA and have entries for Voice call

  • Serious offer. Emails and FB messages negotiable.

No spitting on the Bus! Thank you, The Mgt.

Working...