from Hacker News

SMS phishing is way too easy

by ricardbejarano on 6/24/22, 2:52 PM with 294 comments

  • by jakear on 6/24/22, 4:52 PM

    Bottom line up front: When sending tokens via SMS, you must include a "do not share this token with anyone besides X.com" text. Otherwise account takeovers become trivial.

    The article's attack is relatively benign - the user simply goes to a website. Sure they may end up putting info in that website, but probably not. Plus existing systems for malicious website filtering can kick in to prevent this.

    The more concerning attack is the social engineering one where a third party says something like "let me 'verify' your identity, I'll send you a number tell me what it is" then triggers an identity verification request on the domain (this can be done either manually or part of a sign up flow for some honeypot service). Now the target needs only relay 6 digits to someone they already "trust" and are in a conversation with, versus in the article's example they needed to put their full account info into an unknown website.

  • by smitop on 6/24/22, 5:26 PM

    Android supports "verified SMS" wherein the sender proves their identity to Google, tells Google the hashes of messages they send, and Google can tell recipients if the message hash is legit or not: https://developers.google.com/business-communications/verifi...
  • by turrini on 6/24/22, 6:05 PM

    Maybe implement a two-way verification, for example:

    In the app/website: "You will receive an SMS with two 6-digit numbers, one to certify that we sent it to you and another to type bellow. Our chosen number is 887-987, type the another one"

    In the SMS: "Two-way verification. Check if it's us with number 887-987 and confirm with number 543-621"

  • by dools on 6/25/22, 1:58 AM

    Banning sending URLs via SMS is a terrible idea, there are too many valid use cases.

    Potentially disabling URLs from alphanumeric senders is a good idea, but it’s also very easy to get virtual numbers for sending SMS spam.

    I think a good balance would be making URLs not clickable for any number that is not in your contacts which also makes it difficult to copy and paste for an average user.

    The onus is then on providers to make sure anyone they may send links to saves the number as a contact and that they always use the same number, and have that number on their website.

    So when you register for delivery notifications a message goes out saying you should save the contact number. If all Fedex notifications come from the same number the user only needs to do this once.

  • by silvestrov on 6/24/22, 3:59 PM

    Another possible solution: Government enacts a law that telecom companies MUST ensure that SenderID is valid for the company that sends the SMS.
  • by blobbers on 6/24/22, 9:17 PM

    Super interesting. I've been getting increasingly intense phishing stuff related to citi bank credentials (my account was hacked verify my credentials on shady citi site) as well as AT&T bill being paid (collect my prize for paying my bill).

    They haven't managed to hijack an actual sender though, and their domain names still look slightly shady because they're things like citi01.

    They AT&T one is html wrapped so I can't even click the link without seeing what it is (and don't want to because maybe there is some exploit that launches an app that does something? Am I too paranoid?)

  • by baxtr on 6/24/22, 3:49 PM

    I have two phone numbers. One is for 2-way authentication, the other I give out freely on any website that requires a phone number (and to all my friends).

    It's basically the same setup I use with emails.

    Not entirely sure if it's safer that way. But so far I get SMS spam only on the "burner" number.

  • by rockbruno on 6/24/22, 4:06 PM

    It's even worse when you think of how phone companies often recycle dead phone numbers. I remember in Brazil you would often hear of people accidentally stealing someone else's account in apps where login == phone number due do this. It's an awful verification system all over.
  • by danschumann on 6/24/22, 5:44 PM

    This is another reason why using password managers is good. I let it auto fill, so if I got redirected to a bad domain, it wouldn't autofill, and I'd double-check the domain.
  • by alpb on 6/25/22, 3:39 AM

    >> Companies should stop sending URLs over SMS.

    Doesn't make any sense. Companies can stop sending, but that doesn't prevent scammers from sending it. If anything, Apple or Google can run an in-device ML model to understand if a link is scammy/phishy vs genuine. They do it all the time on your browser.

  • by mikece on 6/24/22, 4:04 PM

    And yet almost every bank requires it for 2FA and only a precious few offer TOTP or some other reasonable and secure form of 2FA.
  • by cwoolfe on 6/24/22, 5:16 PM

    "add number two to your backlog if you work on iOS or Android" I would...but as an iOS and Android developer, how do I know if it's a non-verified sender ID? The reason browsers can warn on these things is because of public key infrastructure, but that doesn't exist SMS phone numbers. Am I missing something?
  • by permo-w on 6/24/22, 5:09 PM

    in the same vein, email providers need to stop unverified email senders setting their own identifiers. if it's not from an email I've interacted with before, show me the email address itself and nothing else.

    there's really no good reason for the automatic contactification of email addresses. if I want someone's emails to be marked as being from John Smith, I will do that myself. if amazon or x known company is sending me an email, I do not care, identify the sender as the email address it was sent from.

  • by rr888 on 6/24/22, 5:04 PM

    I really dont want a phone number any more, I dont need one for any friends of family contact. Really the only reason is for 2fa which is ironic as it seems the weakest link.
  • by orliesaurus on 6/24/22, 5:12 PM

    Request for proposal: SPF, DMARC, DKIM authenticity authentication but for SMS
  • by bricemo on 6/24/22, 3:37 PM

    Very sad to see the United States as “No” and “No” listed next to the protections page linked
  • by longrod on 6/24/22, 7:18 PM

    Phones were here way before 2FA and Internet. The technology is poorly designed for modern attack vectors but it's so widespread it's crazy. Every single person out there has a phone number - one of the primary reasons it is still offered as a 2FA option.

    Not to mention how widespread the coverage is. There are many places around the world where you have cell connectivity but no Internet.

    In short, you can't get rid of it short of throwing away the SIM. Is it possible to have SMS v2 that's safer like we went from 2G to 5G?

  • by advisedwang on 6/24/22, 5:06 PM

    Securing SMS sender ID may prevent you trusting a URL from a text, but that's not enough. We can't prevent people from ever clicking on a phony URL, so we need to ensure even if you hit a phishing page that you can't have credentials stolen. SMS and TOTP can't do this, even with if they are secured, because phishing pages can forward the credential.

    The only solid way to prevent phishing is non-forwardable credentials, ie FIDO/U2F. We need to make this easier and more ubiquitous.

  • by krylon on 6/24/22, 4:25 PM

    Huh. I received a text message a couple of weeks ago, informing me the "gift" that I had "bought" had been delivered to the "location agreed upon" by me, and to please visit this really suspicious looking URL for details.

    The Internet, for better or worse, has taught me a healthy amount of skepticism, plus I definitely had not bought any gifts (how is it a gift if I buy it myself?). But I can see how it is easy to fall for these scams if you aren't used to looking for them.

  • by acd on 6/24/22, 5:29 PM

    I got a phone number prepaid cash card, got someone else previous mobile phone number. Get snapchat 2fa code which is not mine. Dont trust SMS for 2FA.
  • by lxgr on 6/24/22, 3:45 PM

    I wish we would just stop using phone numbers as the primary user identifier and SMS as the primary communication channel, period.

    The amount of cruft involved in SMS delivery is unbelievable, and phone numbers are neither particularly stable, nor particularly well protected against takeovers.

  • by jimmont on 6/25/22, 2:38 AM

    The remedy for this lies with Apple and Google to compete over. They’re naturally incentivized in various ways. Mozilla too but Mozilla can’t seem to figure out what to do until it’s passed by, even when the opportunity is still there. Imagine paying it forward to not have calls and text and voicemails related to your expiring warranty, reliable messages, etc. I don’t think even slack can touch this. Otherwise they would have already. Allow me to point out the planet has been networked for over 100 years and this is the best our lawmakers and tech companies can muster. It’s as though everyone has lost sight of doing something practical (for money).
  • by megous on 6/24/22, 5:43 PM

    Call ID is the same. Some trunks come with ability to set any number you like, without any verification. You just provide the number you like in a SIP INVITE message header, and that's it.
  • by Gunax on 6/24/22, 9:44 PM

    The more I read about phones and texting, the more I realize that they were never intended to be used as security verification.

    It just was not one of the design goals. My understanding of caller id is that anyone can put anything there--it was made decades ago to serve as convenience--not to verify.

    Likewise with the sender id in SMS.

    It's a good lesson on how protocols are hijacked. Someone thought it was a good idea to send text messages. Another person decided to leverage it for security. Ét voila, we have a security apparatus that isn't very secure.

  • by projektfu on 6/24/22, 5:22 PM

    Clickable links also enabled people to lose control of their WhatsApp accounts. The message was legit but the request was not. If they had sent a code, the attacker would have to convince people to give it to them. With the link, a lot of users assumed they needed to click to keep using Whatsapp. Not sure what Facebook was thinking but it was a pretty bad move.
  • by O__________O on 6/24/22, 4:12 PM

    Stop using SMS for 2FA.

    Not familiar with SMS Sender ID Verification, but after quick Google, I was unable to find any signs that it counters SMS spoofing.

    SMS as a 2FA channel is broken. There are so many vulnerabilities that it just makes no sense to use; for example: corrupt telco employees, SS7, sim card cloning, sim swap, spoofing, governments, etc.

    Beyond that, if you’re located or traveling internationally, it’s a nightmare to deal with.

    NIST has not recommended SMS based 2FA since 2016:

    https://www.schneier.com/blog/archives/2016/08/nist_is_no_lo...

  • by theginger on 6/24/22, 4:18 PM

    As far as I am aware there is no reasonable way for carriers to verify sender IDs or to communicate a verified status with an SMS message. So you would end up labelling all messages as not verified, which might provide some clarity for a short time until it just becomes noise that gets ignored.
  • by tuyenhx on 6/24/22, 10:11 PM

    This has been a problem for Bank in Viet Nam for a year.

    They faked Bank’s message, and send the link with the same UI of the bank. Many people got hacked.

    I got a few messages like this. The only thing I could do was informing my friend (none-tech) to avoid these things.

  • by sgoto on 6/24/22, 9:18 PM

    The first SMS from github is origin bound, it cannot be used for phishing: https://wicg.github.io/sms-one-time-codes/
  • by grantla on 6/24/22, 10:05 PM

    SMS really just needs to die, and we'll all be better off.
  • by ranger_danger on 6/24/22, 8:30 PM

    Where does it say how the actual phishing message itself is easy to send? I see no explanation there. How does one send a message with a different SenderID?
  • by smokey_circles on 6/24/22, 7:05 PM

    Phone numbers and email: the primary identifiers that were never meant to be used as such.

    No idea what a good alternative is though. Preferably something federated though

  • by uvu on 6/26/22, 3:18 AM

    My Oneplus phone automatically detect the spam and move them to trash. I am sure there is an easy way to identify.
  • by z3t4 on 6/24/22, 7:38 PM

    Could build your own protocol ontop of SMS. Double opt-in, encrypted and signed. See for example MMS.
  • by ogn3rd on 6/28/22, 4:59 PM

    Same issue since caller ID. Force the ANI as the BTN.
  • by 0xbeefeed on 6/24/22, 7:13 PM

    A lot of people in this thread saying SMS is bad for 2FA. It’s not. Just because you can send spoof the sender field doesn’t mean you can spoof being a receiver. Only the valid number will ever receive the 2FA code.
  • by kwhitefoot on 6/24/22, 4:58 PM

    How do the examples in the article cause any problem. You only get sent a code when you request it. And you type it into a website that you are familiar with.
  • by kome on 6/24/22, 5:56 PM

    that's why i never used 2FAs using SMS: they are crap.