In Australia it's mandated you're sent a message before rerouting or migrating to another provider. Surprised this isn't enforced in the other countries, it costs next to nothing to implement and is just an additional step in the account migration process.<p>I'd love to see companies allow for opt in additional security measures, like banks or telco's calling me - having a verbal password to confirm things, that level of security seems to only be available to VIPs.
SMS is irredeemably broken, like all telco-designed garbage protocols. The only way you can incentivize companies to stop using it as security theater is to shift liability so any losses incurred by SMS jacking is automatically the liability of the company using SMS, just as nowadays any credit card fraud is borne by the company that is not using the EMV chip to secure a transaction.
Reminder: SMS 2FA adds only a negligible amount of security, if your company does 2FA via SMS you're doing nothing more than lulling your users into a false sense of security. Don't do it. Support proper 2FA. (And while you're at it, allow your users to decide how much they care about their account. Don't make the decision for them.)
Voip.ms, vonage/twilio, et al let you set up an SMS capable number really quickly and cheaply, available globally... And you'd be fully in control
Too many services use phone numbers as the keys to the kingdom. It's a convenient and stable identifier, but holy shit it's not designed for security <i>at all</i>.
It’s worth pointing out that often LOA forms ask for a PIN, usually the same PIN as would be required to check voicemail. A better telecom company might make the PIN something harder to remember but enforcing such things would also make it harder to switch carriers, particularly if it replaced today’s standard forms of ID checks.<p>It’s better to assume that until phone numbers can be locked and unlocked the way domains can, with a random authorization code only accessible by real offline 2FA (though not all domain providers require it), and with the option of completely encrypted end-to-end texting (RCS?), well, then SMS won’t really be all that secure.
So, when my nontechnical friends ask me what they should be using for 2FA, I'm kind of at a loss what to tell them. It's either a false sense of security (e.g., SMS), or too complicated for them (Yubikey).<p>There's got to be a better system.
It’s insane that providers can do this.<p>I note, however, that this attack seems to only be possible on VOIP routable numbers, and it’s my experience that banks, etc, will not allow you to use VOIP routable numbers for 2FA.<p>That’s definitely not the case for a naive implementation of sms 2fa as would be done by likely any dev using Twilio, etc.<p>Also, don’t forget that NIST deprecated SMS 2FA over 5 years ago. Here’s their reasoning: <a href="https://www.nist.gov/blogs/cybersecurity-insights/questionsand-buzz-surrounding-draft-nist-special-publication-800-63-3" rel="nofollow">https://www.nist.gov/blogs/cybersecurity-insights/questionsa...</a>
Lots of comments here along the lines of "SMS 2FA is bad", but hell, if the phone companies had an appropriate level of liability here (which should be a shit ton), this should be impossible.<p>And it's not just about 2FA, most of humanity expects that if someone else texts them, those texts will go to their phone and only their phone unless they've given explicit verifiable consent.<p>I mean, in this case all the hacker did was fill out a form and say pretty please. I hope phone companies that allow this get sued.
Isn't this easy solvable with additional SMS token approval as mentioned in article?<p>> "orsman added that, effective immediately, Sakari has added a security feature where a number will receive an automated call that requires the user to send a security code back to the company, to confirm they do have consent to transfer that number. As part of another test, Lucky225 did try to reroute texts for the same number with consent using a different service called *Beetexting*;
the site already required a similar automated phone call to confirm the user's consent. This was in part "to avoid fraud," the automated verification call said when Motherboard received the call. Beetexting did not respond to a request for comment."<p>But it seems that the entire system is globally infested with security holes. Is this applicable worldwide or just limited to one country ?
Based on the high level description given in the article it seems to be related to enum lookup or net number. It's basically a kind of DnS lookup for phone numbers used for sms routing. Also this is used for routing sms that are belonging to a user to an application (in case you want to reroute your sms to an application). The company will change the enum code for the number to a.code that belong to the company and reroute the messages to its services.
So the hack is not really a hack in a sense that it work as intendant, the safety net is missing though. The company operating the enum is supposed to check the legitimacy of the change.
That’s crazy that there is no verification system in place allowing the user to approve the forwarding.<p>Years ago I asked my carrier to not port or forward without me being physically present at a store. Maybe I should test them out to see if that’s still the case.<p>Regardless, I don’t use SMS MFA for anything important and even when I do, I have a 32 character password to go along with it.
> While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari's LOA says that the user should not conduct any unlawful, harassing, or inappropriate behaviour with the text messaging service and phone number.
But as Lucky225 showed, a user can just sign up with someone else's number and receive their text messages instead.<p>Um, what?!
What I would find really interesting is if someone used this exploit to hack into the accounts of Sakari staff and sabotaged their service, deleting all their infrastructure from their cloud hosting provider etc. I'm sure Sakari would take this security hole more seriously if their own C-suite fell victim to it.
Weird. The whole idea behind the whole company is to <i>send</i> SMSes on behalf of its customers, if I understood the article correctly. So why would they need to muck about with reassigning the phone numbers of SMS <i>recipients</i> in the first place?
My strategy is to have a second phone that has Authenticator and is also the phone for any SMS based 2FA.
The phone is locked in a file cabinet when not in use and never leaves my desk.
An extra phone only costs me $10/month. Well worth the peace of mind.
These hackers have so much time in their hands , that they can understand this technology more than the creators and abuse them, amazing how hacker culture works.
Damn lies. Damn lies. The attack vector only works for VOIP or Toll Free Numbers. The upstream agreements already block Mobile numbers. This is paid marketing for his company.
okay so how did he manage to pull this off and is this still possible? how would you protect yourself against this attack (i dont understand how it works)