$16 Attack Shows How Easy Carriers Make It to Intercept Text Messages
upstart writes in with an IRC submission:
$16 attack shows how easy carriers make it to intercept text messages:
In a new article titled "A Hacker Got All My Texts for $16," Vice reporter Joseph Cox detailed how the white-hat hacker-an employee at a security vendor-was able to redirect all of his text messages and then break into online accounts that rely on texts for authentication.
This wasn't a SIM swap scam, in which "hackers trick or bribe telecom employees to port a target's phone number to their own SIM card," Cox wrote. "Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him."
This method tricked T-Mobile into redirecting Cox's text messages in a way that might not have been readily apparent to an unsuspecting user. "Unlike SIM jacking, where a victim loses cell service entirely, my phone seemed normal," Cox wrote. "Except I never received the messages intended for me, but he did."
The hacker, who goes by the mononym "Lucky225," is director of information at Okey Systems, a security vendor. "I used a prepaid card to buy [Sakari's] $16-per-month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info," the Okey employee told Cox. The "LOA" is "a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers," Cox wrote.
"A few minutes after they entered my T-Mobile number into Sakari, [the hacker] started receiving text messages that were meant for me," Cox wrote. "I received no call or text notification from Sakari asking to confirm that my number would be used by their service. I simply stopped getting texts."
[...] Cox's story is not the first reminder about the insecurity of text messages. SIM-swapping attacks and flaws in the SS7 telephone protocols already made it risky to use text messages for authentication, but many websites and other online services still rely on texts to verify users' identities. Customers can set up account PINs with T-Mobile and other carriers to prevent unauthorized access to their cellular accounts, but it isn't clear whether doing so would have prevented the type of attack that redirected Cox's text messages.
Read more of this story at SoylentNews.