Text authentication is even worse than almost anyone thought

Everyone has been lecturing IT about how horrible the security is from texting numbers for authentication for years, including me. Now, due to some excellent reporting from Vice, it’s clear that the text situation is far worse than almost anyone thought. It’s not merely texting that has inherent cybersecurity flaws, but the entire telecom space surrounding the text infrastructure is absolutely abysmal.

The demonstrated whitehat attack intercepted and rerouted all of the victim’s text messages, but it wasn’t a technical takeover. The whitehat (who had been asked by the Vice reporter to try and steal his text messages) simply paid a small fee ($16) to a legitimate SMS marketing and mass messaging firm called Sakari. The whitehat had to lie about having the user’s permission, but no meaningful proof was sought.

“Once the (attacker) is able to reroute a target’s text messages, it can then be trivial to hack into other accounts associated with that phone number,” the Vice story said. “In this case, the (attacker) sent login requests to Bumble, WhatsApp, and Postmates, and easily accessed the accounts.”

From an IT security perspective, this story gets far more frightening as it delves into how messed up the entire telecom universe is when it comes to protecting text communications. That is yet another reason why texting can’t be trusted for authentication or, for that matter, for almost anything.

Consider this from the story: “In Sakari’s case, it receives the capability to control the rerouting of text messages from another firm called Bandwidth, according to a copy of Sakari’s LOA (Letter of Authorization) obtained by Motherboard. Bandwidth told Motherboard that it helps manage number assignment and traffic routing through its relationship with another company called NetNumber. NetNumber owns and operates the proprietary, centralized database that the industry uses for text message routing, the Override Service Registry (OSR), Bandwidth said.”

For years, the key argument against relying on text message confirmations is that they are susceptible to man-in-the-middle attacks, which is still true. But this peek into the authorized infrastructure for text messages means that text takeovers can happen far more simply.

Copyright © 2021 IDG Communications, Inc.

Source link

We will be happy to hear your thoughts

Leave a reply

Enable registration in settings - general
Compare items
  • Total (0)