A security researcher, who uses the pseudonym Lucky225, demonstrated how unlucky someone could be if their text messages were hacked. In partnership with Joseph Cox, a journalist from Vice, Lucky, with Cox’s permission, showed how easy it was to reroute his text message and in turn, gain access to many of his personal accounts.
Cloud Based Texting Service
This was done by signing up for a service provided by a company called Sakari, which provides a cloud-based text messaging service that “allows businesses to send SMS reminders, alerts, confirmations, and marketing campaigns.” The least expensive service plan they offer is $16, which Lucky signed up for using Joseph’s number. This demonstration reveals gaps in security for SMS messaging which has been widely neglected in the world of cybersecurity.
After Joseph’s texts were rerouted, he explained that he was not aware his messages had even been intercepted, and his phone gave no warning to what was happening. The texts intended for him were never received, and Lucky225 received them instead. In addition to Joseph’s texts, Lucky225 was able to access to his WhatsApp, Facebook, and other personal accounts by authenticating with the texts.
The co-founder of Sakari, Adam Horsman, explains the company has “not seen any previous instances of intentional abuse of text enablement…SMS is a hugely powerful communication medium, and as it continues to dominate the communication landscape, and there are improvements needed by the industry – both carriers and resellers – to improve security and trust.”
Are Text Messages Secure?
Many online accounts are requiring users to set up a phone number for Multi-Factor Authentication to login in the account. This practice is widely incorporated in all different types of accounts such as banks, social media, emails, and more. With this understanding, we can expect cybercriminals to exploit SMS messages to access our most personal information. This cybersecurity threat makes Multi-Factor Authentication ineffective across accounts and undetectable to the user.
Statistics about users’ relationships with their mobile devices:
A mobile user is 18x more likely to be exposed to a phishing attempt than malware. Channels like SMS and messaging apps are being leveraged at scale to distribute phishing links.
Mobile use accounts for approximately half of web traffic worldwide. In the third quarter of 2020, mobile devices (excluding tablets) generated 50.81 percent of global website traffic (Statista).
98% of text messages are read and 45% are responded to, while the equivalent numbers for email are 20% and 6% (Gartner).