A Hacker Got All My Texts for $16 – SMS forwarding is a real problem for 2fa

I didn’t expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me.

[…]

I hadn’t been SIM swapped, where hackers trick or bribe telecom employees to port a target’s phone number to their own SIM card. Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him

[…]

“Welcome to create an account if you want to mess with it, literally anyone can sign up,”

[…]

This also doesn’t rely on SS7 exploitation, where more sophisticated attackers tap into the telecom industry’s backbone to intercept messages on the fly. What Lucky225 did with Sakari is easier to pull off and requires less technical skill or knowledge. Unlike SIM jacking, where a victim loses cell service entirely, my phone seemed normal. Except I never received the messages intended for me, but he did.

[…]

“I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info,” Lucky225 added, referring to a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers. (Cyber security company Okey Systems, where Lucky225 is Director of Information, has released a tool that companies and consumers can use to detect this attack and other types of phone number takeovers).

[…]

“Sakari is a business text messaging service that allows businesses to send SMS reminders, alerts, confirmations and marketing campaigns,” the company’s website reads.

For businesses, sending text messages to hundreds, thousands, or perhaps millions of customers can be a laborious task. Sakari streamlines that process by letting business customers import their own number. A wide ecosystem of these companies exist, each advertising their own ability to run text messaging for other businesses. Some firms say they only allow customers to reroute messages for business landlines or VoIP phones, while others allow mobile numbers too.

Sakari offers a free trial to anyone wishing to see what the company’s dashboard looks like. The cheapest plan, which allows customers to add a phone number they want to send and receive texts as, is where the $16 goes. Lucky225 provided Motherboard with screenshots of Sakari’s interface, which show a red “+” symbol where users can add a number.

While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari’s LOA says that the user should not conduct any unlawful, harassing, or inappropriate behaviour with the text messaging service and phone number.

But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead.

[…]

In Sakari’s case, it receives the capability to control the rerouting of text messages from another firm called Bandwidth, according to a copy of Sakari’s LOA obtained by Motherboard. Bandwidth told Motherboard that it helps manage number assignment and traffic routing through its relationship with another company called NetNumber. NetNumber owns and operates the proprietary, centralized database that the industry uses for text message routing, the Override Service Registry (OSR), Bandwidth said.

[…]

Source: A Hacker Got All My Texts for $16

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft