🦊 LOA + $16 = you're h@ck3d

Mar 16, 2021 3:31 pm

...it's scary fast and scary easy; inside a new SMS hack, letters of authorization, and the next wave of consumer-level phone hacks.


Oh hey there! I'm Jon Fedor and this is InCyber Regular, edition six. I talk about cyber security issues and awareness for smaller enterprises and the cyber-curious. I also tweet a lot.


In today's edition: We talk about how a bad guy can steal your phone without stealing your phone.


SMS hacks come in all shapes and sizes. Your plastic and metal square, while being a cellular phone, is also (little known fact) a chunk of swiss cheese. Today's edition of InCyber follows on the jet-trails of Matt Cameron's harrowing simjacking story. Read more about how surviving that attack launched his career in security.


I detail out critical steps for countering this type of attack on your mobile number a couple sections down...


SMS hacks in your face

The story opens with a tremendous article from Vice's Motherboard about how Joseph Cox and team paid a hacker to take over Joseph's number. The attacker used a business SMS automation platform, Sakari, to execute the hack. The "bad guy" filled out a Letter of Authorization (LOA) provided by Sakari to claim ownership of Joseph's mobile number. This was under the pretense of sending SMS messages from the number.


But, the attacker then turned around and used Sakari to gain access to the journalist's WhatsApp, Bumble, and PostMates accounts.


Why and how? The biggest reason is that users of WhatsApp, Bumble, and many others, login with their mobile numbers. NOT email and password.


This is a huge vulnerability and quickly becoming a mainstream exploit for bad guys.


(Huge thanks to Patrick Zangardi for the heads on this story, by the way).


All this for the price of $16 to use Sakari for a month.


Did Sakari have anything to say about this?


Yes

When confronted with the ease of using their platform to stage this attack, Sakari's co-founder made changes to the platform immediately. There are now more requirements for identity verification and a confirmation code process to ensure Sakari users actually own the numbers they are using to send bulk SMS messages.


However.


There are dozens++ of SMS automation SaaS platforms out there. If one door closes, it's easy for a bad guy to find another option with a quick google search.


How to avoid an SMS hack

This is a disturbing story. Like disturbing on the level of those babies with grown up faces in Medieval paintings.


But despite this (and despite your mobile being a hunk of swiss cheese) there's a straight forward plan to avoid an SMS hack:


  1. For services like WhatsApp: Always check your security settings and turn on any additional verification options (such as email notifications etc.)
  2. Use a @protonmail.com email for those notifications.
  3. Turn on multifactor authentication (MFA) on these accounts. If MFA isn't available (or is *only* available via text / SMS) very...very seriously consider whether or not you need that service.
  4. Don't use services that verify your login exclusively through text / SMS. Period.
  5. Use OkeyMonitor's tool to protect against this exact type of attack.


From the Vice article: "Okey Systems' monitoring tool works by creating a fingerprint of a user's phone number, including the carrier it is connected to and its SMS routes, Tuketu, the company's CEO, said."


It's super easy to set up with the following steps.


image


The way forward is clear

In addition to the steps I recommend above, the truth is that you need a good, reliable tool for generating, storing, and using strong passwords & MFA codes.


Just think about how many apps your have on your phone.


How many emails you have.


How many retirement, financial, insurance, and, let's face it, streaming service accounts you have (yes, I can see into your soul).


Just grab 1Password say hello to your new best friend: a good nights' sleep.


Btw, I'm a 1Password affiliate partner. That's a new thing for me, though. I've been using 1Password for years to lock down my digital doors. My partner and I classify 1Password as a utility in our budget - right up there with electricity, natural gas, and water.


It's *that* important.


Ok.


Thanks!

If you enjoyed this or learned something feel free to forward this email. Or pass along the link to sign up for InCyber Regular. I love writing this thing for y'all and I want to keep doing it. And I want it to get better weekly. So let's make it happen already.


Have a good'un, Good Lookin'.


~Jon don't-hack-my-texts-bro Fedor

Comments