by ricardbejarano on 6/24/22, 2:52 PM with 294 comments
by jakear on 6/24/22, 4:52 PM
The article's attack is relatively benign - the user simply goes to a website. Sure they may end up putting info in that website, but probably not. Plus existing systems for malicious website filtering can kick in to prevent this.
The more concerning attack is the social engineering one where a third party says something like "let me 'verify' your identity, I'll send you a number tell me what it is" then triggers an identity verification request on the domain (this can be done either manually or part of a sign up flow for some honeypot service). Now the target needs only relay 6 digits to someone they already "trust" and are in a conversation with, versus in the article's example they needed to put their full account info into an unknown website.
by smitop on 6/24/22, 5:26 PM
by turrini on 6/24/22, 6:05 PM
In the app/website: "You will receive an SMS with two 6-digit numbers, one to certify that we sent it to you and another to type bellow. Our chosen number is 887-987, type the another one"
In the SMS: "Two-way verification. Check if it's us with number 887-987 and confirm with number 543-621"
by dools on 6/25/22, 1:58 AM
Potentially disabling URLs from alphanumeric senders is a good idea, but it’s also very easy to get virtual numbers for sending SMS spam.
I think a good balance would be making URLs not clickable for any number that is not in your contacts which also makes it difficult to copy and paste for an average user.
The onus is then on providers to make sure anyone they may send links to saves the number as a contact and that they always use the same number, and have that number on their website.
So when you register for delivery notifications a message goes out saying you should save the contact number. If all Fedex notifications come from the same number the user only needs to do this once.
by silvestrov on 6/24/22, 3:59 PM
by blobbers on 6/24/22, 9:17 PM
They haven't managed to hijack an actual sender though, and their domain names still look slightly shady because they're things like citi01.
They AT&T one is html wrapped so I can't even click the link without seeing what it is (and don't want to because maybe there is some exploit that launches an app that does something? Am I too paranoid?)
by baxtr on 6/24/22, 3:49 PM
It's basically the same setup I use with emails.
Not entirely sure if it's safer that way. But so far I get SMS spam only on the "burner" number.
by rockbruno on 6/24/22, 4:06 PM
by danschumann on 6/24/22, 5:44 PM
by alpb on 6/25/22, 3:39 AM
Doesn't make any sense. Companies can stop sending, but that doesn't prevent scammers from sending it. If anything, Apple or Google can run an in-device ML model to understand if a link is scammy/phishy vs genuine. They do it all the time on your browser.
by mikece on 6/24/22, 4:04 PM
by cwoolfe on 6/24/22, 5:16 PM
by permo-w on 6/24/22, 5:09 PM
there's really no good reason for the automatic contactification of email addresses. if I want someone's emails to be marked as being from John Smith, I will do that myself. if amazon or x known company is sending me an email, I do not care, identify the sender as the email address it was sent from.
by rr888 on 6/24/22, 5:04 PM
by orliesaurus on 6/24/22, 5:12 PM
by bricemo on 6/24/22, 3:37 PM
by longrod on 6/24/22, 7:18 PM
Not to mention how widespread the coverage is. There are many places around the world where you have cell connectivity but no Internet.
In short, you can't get rid of it short of throwing away the SIM. Is it possible to have SMS v2 that's safer like we went from 2G to 5G?
by advisedwang on 6/24/22, 5:06 PM
The only solid way to prevent phishing is non-forwardable credentials, ie FIDO/U2F. We need to make this easier and more ubiquitous.
by krylon on 6/24/22, 4:25 PM
The Internet, for better or worse, has taught me a healthy amount of skepticism, plus I definitely had not bought any gifts (how is it a gift if I buy it myself?). But I can see how it is easy to fall for these scams if you aren't used to looking for them.
by acd on 6/24/22, 5:29 PM
by lxgr on 6/24/22, 3:45 PM
The amount of cruft involved in SMS delivery is unbelievable, and phone numbers are neither particularly stable, nor particularly well protected against takeovers.
by jimmont on 6/25/22, 2:38 AM
by megous on 6/24/22, 5:43 PM
by Gunax on 6/24/22, 9:44 PM
It just was not one of the design goals. My understanding of caller id is that anyone can put anything there--it was made decades ago to serve as convenience--not to verify.
Likewise with the sender id in SMS.
It's a good lesson on how protocols are hijacked. Someone thought it was a good idea to send text messages. Another person decided to leverage it for security. Ét voila, we have a security apparatus that isn't very secure.
by projektfu on 6/24/22, 5:22 PM
by O__________O on 6/24/22, 4:12 PM
Not familiar with SMS Sender ID Verification, but after quick Google, I was unable to find any signs that it counters SMS spoofing.
SMS as a 2FA channel is broken. There are so many vulnerabilities that it just makes no sense to use; for example: corrupt telco employees, SS7, sim card cloning, sim swap, spoofing, governments, etc.
Beyond that, if you’re located or traveling internationally, it’s a nightmare to deal with.
NIST has not recommended SMS based 2FA since 2016:
https://www.schneier.com/blog/archives/2016/08/nist_is_no_lo...
by theginger on 6/24/22, 4:18 PM
by tuyenhx on 6/24/22, 10:11 PM
They faked Bank’s message, and send the link with the same UI of the bank. Many people got hacked.
I got a few messages like this. The only thing I could do was informing my friend (none-tech) to avoid these things.
by sgoto on 6/24/22, 9:18 PM
by grantla on 6/24/22, 10:05 PM
by ranger_danger on 6/24/22, 8:30 PM
by smokey_circles on 6/24/22, 7:05 PM
No idea what a good alternative is though. Preferably something federated though
by uvu on 6/26/22, 3:18 AM
by z3t4 on 6/24/22, 7:38 PM
by ogn3rd on 6/28/22, 4:59 PM
by 0xbeefeed on 6/24/22, 7:13 PM
by kwhitefoot on 6/24/22, 4:58 PM
by kome on 6/24/22, 5:56 PM