When you think your smartphone is finally secured from the prying eyes of hackers, a new security threat is still waiting around the corner. Hackers can now divert SMS messages intended for the victim’s phone number to their own systems, according to a news report. Due to an exploit in these services, hackers use text-messaging management services intended for business to carry out the attack. In some cases, these attacks are possible due to the telecom industry’s incompetence, at least in the United States, and hackers are in for a treat. Hackers use these attacks to redirect crucial text messages, such as OTP or login links for services like WhatsApp.
The SMS Hack
After a hacker targeted Motherboard reporter Joseph Cox’s personal phone number, the discovery was made. According to the report, the hacker could easily intercept data by simply redirecting SMS messages intended for his mobile number. Cox, the victim of this case, would have no idea that he was the object of an assault since his SMSes are no longer reaching his phone. And the abuse of responsible services is so widespread that the organisations delivering the services do not send any SMS to the targeted number to seek permission or simply notify the owner that the texts have been forwarded. Hence, it’s a foolproof attack that hackers are openly employing against the telecom industry.
The most surprising aspect of this hack is that hackers can gain access to these services for just $16. which is around 1,160 Indian Rupees. And this is the small amount most service providers charge for SMS redirection services that are intended for paying companies, not hackers. While the company that offered these services in the case of Cox claims to have patched the exploit, many others have not. Some of these firms are aware of the flaw but blame CTIA, the US wireless industry’s trade association. Despite the fact that CTIA told Motherboard that it had “no indication of any malicious activity concerning the potential threat or that any customers have been affected.”
Alarming Situation
The recent SMS redirection attack is just the latest in a long line of SMS and cellular device hacking attempts. SIM swapping and SS7 attacks have been around for a long time and have affected a large number of users. The most significant distinction between these two attacks is that the victim learns his phone has been compromised within a few moments after the phone has completely lost its cellular network. This is not the case for SMS redirection, where the victim is totally unaware of the operation. When you don’t receive the SMS that you expected to receive on your phone, such as OTP messages, it’s natural to suspect a network issue.
And it’s a alarming situation. Consider this scenario — a hacker has access to OTPs for various authentication-enabled operations, and your accounts are no longer available because your password has been reset. Imagine a hacker using OTP to log into your WhatsApp account and gain access to your chats. The exploit affected Cox’s WhatsApp, Bumble, and Postmates accounts, according to Motherboard, where the hacker was able to log in and screenshot the content. You may be blackmailed into paying a ransom for these screenshots by the hacker.
Mitigation
To avoid being a victim of such blunders, you should restrict the use of SMS services. Authenticator applications like Google Authenticator or Authy are better for two-factor authentication (2FA). It is also preferable to have your email address registered with your account in order to obtain bank-related OTPs. It is also preferable to have your email address registered with your account in order to obtain bank-related OTPs. But, without your banking information, the OTP would be useless to the hacker.