Living in the digital age calls for all sorts of caution – from not sharing your CVV numbers or ATM pins, logging out of unknown devices to having private social media accounts. But as it has been said, necessity is the mother of invention; hackers have found yet another way of committing fraud. They have figured out a way to get your information such as One Time Passwords (OTPs) and login links for WhatsApp.
These hackers have started using text message managing services to silently redirect text messages to their own devices instead of the owner’s device. This instantly gives them access to any two-factor authentication codes or login links sent via WhatsApp. Sometimes these service operators don’t even inform the owner that their texts are being redirected or even ask for permission to redirect texts. Because of this, attackers are now able to intercept incoming messages and can reply to them as well.
Joseph Cox, a reporter from Motherboard, carried out an experiment to see if it would actually work. He got in contact with a hacker with the pseudonym Lucky225, and at the cost of just 16$ the hacker was able to access his text messages, WhatsApp, Bumble and Postmates accounts. The hacker was able to log into all his accounts and even take screenshots of the contents of his account.
Over the years hackers have used many methods to carry out attacks through cellular devices and exploit text messaging services. Methods like SIM swapping which means a phone number transfers to another without the owner’s approval or an SS7 attack. But with the SIM swapping method, the owner gets to know his device has been hacked because the phone disconnects from the network immediately. But with redirection of text messages, it takes a while for anyone to realise their phone has been compromised, giving hackers enough time to compromise accounts.
The main concern with these SMS attacks is the implications of it. Since most companies still send password reset options or login links through text messages, they would have access to these accounts of yours.
This also serves as a reminder that SMS should be avoided for anything security-related, and while that’s hard to imagine considering many of our industries still depend on text messages, if you do not receive an OTP for a certain transaction, probe deeper into it.