Security News > 2021 > March > Can We Stop Pretending SMS Is Secure Now?

SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of employees at mobile stores who can be tricked or bribed into swapping control over a mobile phone number to someone else.

In a SIM swap, the attackers redirect the target's phone number to a device they control, and then can intercept the target's incoming SMS messages and phone calls.

The interception method that Lucky225 described is still dangerously exposed by a number of systemic weaknesses in the global SMS network, he said.

"In essence, once you have a reseller account with these VoIP wholesalers you can change the Net Number ID of any phone number to your wholesale provider's NNID and begin receiving SMS text messages with virtually no authentication whatsoever. No SIM Swap, SS7 attacks, or port outs needed - just type the target's phone number in a text box and hit submit and within minutes you can start receiving SMS text messages for them. They won't even be alerted that anything has happened as their voice & data services will continue to work as usual. Surprisingly, despite the fact that I publicly disclosed this in 2018, nothing has been done to stop this relatively unsophisticated attack."

WHAT CAN YOU DO? Given the potentially broad impact of fraudsters abusing this and other weaknesses in the vast mobile ecosystem to completely subvert the security of SMS based communications and multi-factor authentication, it's probably a good idea to rethink your relationship to your phone number.

My advice has long been to remove phone numbers from your online accounts wherever you can, and avoid selecting SMS or phone calls for second factor or one-time codes.

News URL

https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/