There’s a newly discovered attack on SMS messaging that’s almost invisible to victims, and seemingly sanctioned by the telecom industry, uncovered in a report by Motherboard. The attack uses text-messaging management services that are aimed at businesses to silently redirect text messages from a victim to hackers, giving them access to any two-factor codes or login links that are sent via text message.
Sometimes, the companies providing the service don’t send any sort of message to the number that’s being redirected, either to ask permission or even to notify the owner that their texts are now going to someone else. Using these services, attackers are not only able to intercept incoming text messages, but they can reply as well.
Joseph Cox, the Motherboard reporter, had someone successfully carry out the attack on his number, and it only cost the attacker $16. When he contacted other companies providing SMS redirection services, some of them reported that they had seen this sort of attack before.
The specific company that Motherboard used has reportedly fixed the exploit, but there are many others like it — and there doesn’t seem to be anyone holding the companies to account. When asked why this type of attack is even possible, AT&T and Verizon simply directed The Verge to contact CTIA, the trade organization for the wireless industry. CTIA wasn’t immediately available for comment, but it told Motherboard that it had “no indication of any malicious activity involving the potential threat or that any customers were impacted.”
Hackers have found many ways to exploit the SMS and the cellular systems to get at other people’s texts — methods like SIM swapping and SS7 attacks have been seen in the wild for a few years now and have sometimes even been used against high-profile targets. But with SIM swapping, it’s pretty easy to tell that you’re being attacked: your phone will completely disconnect from the cellular network. But with SMS redirection, it could be quite a while before you notice that someone else is getting your messages — more than enough time for attackers to compromise your accounts.
The main concern with SMS attacks are the implications they could have for the security of your other accounts. If an attacker is able to get a password reset link or code sent to your phone number, they would then have access to it and be able to get into your account. Text messages are also sometimes used to send login links, as Motherboard found with Postmates, WhatsApp, and Bumble.
This also serves as a reminder that SMS should be avoided for anything security related, if possible — for two-factor authentication, it’s better to use an app like Google Authenticator or Authy. Some password managers even have support for 2FA built in, like 1Password or many of the other free managers we recommend. That said, there are still services and companies that only use text messages as a second factor — the banking industry is infamous for it. For those services, you’ll want to make sure that your password is secure and unique, and then push both for them to move away from SMS and for the cellular industry to work on making itself more secure.