How can a hacker hijack someone else's SMS and infringe on an account such as WhatsApp for only ¥ 1700 per month?
A Hacker Got All My Texts for $ 16
https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber
Companies can silently reroute your texts to hackers, sometimes for just $ 16 --The Verge
https://www.theverge.com/2021/3/15/22332315/sms-redirect-flaw-exploit-text-message-hijacking-hacking
Cox gave a hacker named 'Lucky225' permission to hijack his SMS to see new ways to hijack SMS. After that, Mr. Cox carried the smartphone as usual, and no abnormality was seen in the smartphone, but Lucky225 reported that 'I succeeded in hijacking Mr. Cox's SMS' without warning. As proof of that, Lucky225 sent a screenshot of the SMS message screen, and also infringed the accounts of matching app Bumble , food delivery service Postmates, and WhatsApp.
When Mr. Cox, who was surprised, checked the smartphone, there was no evidence of any hacking or SIM swapping that changed the information associated with the SIM card under the guise of lost smartphone. The only difference was that 'SMS messages were not sent'. Lucky225 says he used a $ 16 / month service from a company called Sakari to help with SMS marketing to hijack Mr. Cox's SMS.
Sakari offers a service that 'routes SMS messages so they can be sent and received on devices that are associated with another phone number.' Lucky225 was able to receive the message sent to Mr. Cox's SMS on his smartphone simply by purchasing this plan with a prepaid card and entering false information in the contract. In addition, it seems that it was possible to take over the account of services other than SMS by secretly performing password change procedures with apps and services that use SMS for multi-factor authentication and completing identity verification with routed SMS.
Teli Tuketu, CEO of a company called Okey Systems, where Lucky225 is the information director, said it would be difficult for victims to immediately notice an SMS hijacking.
Karsten Nohl, a researcher at Berlin-based Security Research Labs , commented that he had never seen an SMS hijacking using services such as Sakari. Meanwhile, Tuketu argues that there is no doubt that this type of attack has already taken place. Text My Main Number, which offers a service similar to Sakari, responded to Motherboard's inquiry by saying, 'Recently, I suspected suspicious activity in one of my accounts, so I immediately shut down my account and reported it.' did.
Sakari co-founder Adam Horsman told Motherboard that he had never maliciously hijacked SMS and that Lucky225's attack was a 'vector of anomalous attacks.' However, in order to deal with future problems, he said that he added a security function that automatically calls the phone number associated with SMS and asks for code authentication. According to Lucky225, a company called Beetexting, which provides services similar to Sakari, has already introduced similar security functions.
Federal Communications Commission (FCC) Deputy Chairman Jessica Rosenwessel said in a statement to Motherboard, 'If this is true, reports of newly discovered smartphone vulnerabilities are alarming. Consumption People rely on smartphones for more information and activity than ever before. We need to better understand and identify this potential vulnerability. ' News media The Verge argued that consumers should avoid using SMS as much as possible for multi-factor authentication and use apps such as two-step verification.
Related Posts:
in Mobile, Web Service, Security, Posted by log1h_ik