Business Today
Loading...

Your OTP may not be safe as new SMS attack redirects texts to hackers

Besides all the things this new attack involves, the most interesting aspect is that the tools only need hackers to pay $16.

twitter-logoShubham Verma | March 16, 2021 | Updated 11:26 IST

Highlights

  • Hackers are leveraging an exploit in the SMS management service for an attack.
  • Hackers are able to redirect any SMS meant for a number to their own system.
  • These services are available through several companies for as low as $16.

Just when you think your mobile phone is finally free of any potential threat from hackers, a new attack is always lurking. A new attack has now been discovered where hackers are able to redirect SMS bound for the victim's phone number to their systems. Hackers use text-messaging management services, meant for business, to carry out the attack, thanks to the exploit in these services. So, in a way, these attacks are possible because of the negligence of the telecom industry, at least in the US, and hackers are in for a treat. Using the attack, hackers can redirect important text messages, such as those containing OTP or login links for services such as WhatsApp.

The discovery was made after Motherboard reporter Joseph Cox had a hacker carry out the attack on his personal number. According to the report, the hacker could smoothly just redirect the SMS supposed to arrive on his mobile number and intercept data. The victim here, Cox, would not even know such an attack has been targeted at him where his SMSes are no longer reaching his phone. And the exploit in the responsible services is so big that the companies providing the services do not send any SMS to the number being targeted to ask permission or just inform the owner that the texts have been forwarded. So, you see, it is a foolproof attack that hackers are freely using at the telecom industry's mercy.

And the most bizarre thing about this attack is that hackers are able to access the services by paying just $16 (roughly Rs 1,160). And this is the nominal fee that most providers ask for the SMS redirection services meant for paying businesses -- not hackers. The company that provided these services in the case of Cox has claimed it has fixed the exploit but there are several others that have not. And, funnily, some of these companies know about the exploit yet they blame CTIA, the trade organisation for the wireless industry in the US. Although CTIA told Motherboard that it had "no indication of any malicious activity involving the potential threat or that any customers were impacted."

The new SMS redirection attack is just another one in the series of hacking activities that involve SMS and cellular systems. SIM swapping and SS7 attacks have been there for quite a while, impacting a large number of users. However, the most discernible thing about these two attacks is that the victim gets to know within a few moments that his phone has been hacked as the phone loses the cellular network completely. This is not the case with SMS redirection where the victim does not even get to know such activity is happening. It is normal to think that there might be an issue with the network when you do not get the SMS that you intended to receive on your phone, such as OTP texts.

And this is a horrifying situation. Imagine the hacker is able to receive OTPs for the transactions for various authentication-enabled activities and your accounts are no longer accessible to you because their password was reset. Or worse, imagine the hacker logs into your WhatsApp account using OTP and accesses your chats. Motherboard's Cox said the exploit affected his WhatsApp, Bumble, and Postmates accounts where the hacker managed to log in and screenshot the content. The hacker could blackmail you into paying ransom for these screenshots.

Just to avoid being a victim of such mishaps, it is advised that you do not rely much on SMS services. For two-factor authentication (2FA), it is better to use authenticator apps such as Google Authenticator or Authy. And for bank-related OTPs, it is better to have your email address registered with your account to receive the OTPs. Although, without your banking details, the OTP will not be of much use to the hacker, anyway.

  • Print
  • COMMENT
BT-Story-Page-B.gif
A    A   A
close