If you thought you can be free of cyber threats just by being careful while using the internet and not sharing sensitive information with others and clicking on links in unsolicited junk mails, you are wrong. Hackers have found a new way to get your information, including one-time passwords (OTPs) and login links for services like WhatsApp.
A new attack has now been discovered where hackers are able to redirect SMS bound for the victim’s phone number to their systems. Hackers use text-messaging management services, meant for business, to carry out the attack, thanks to the exploit in these services. So, in a way, these attacks are possible because of the negligence of the telecom industry, at least in the US, and hackers are in for a treat. Using the attack, hackers can redirect important text messages, such as those containing OTP or login links for services such as WhatsApp.
The discovery was made after Motherboard reporter Joseph Cox had a hacker carry out the attack on his personal number. According to the report, the hacker could smoothly just redirect the SMS supposed to arrive on his mobile number and intercept data. The victim here, Cox, would not even know such an attack has been targeted at him where his SMSes are no longer reaching his phone. And the exploit in the responsible services is so big that the companies providing the services do not send any SMS to the number being targeted to ask permission or just inform the owner that the texts have been forwarded. So, you see, it is a foolproof attack that hackers are freely using at the telecom industry’s mercy.
And the most bizarre thing about this attack is that hackers are able to access the services by paying just $16 (roughly Rs 1,160). And this is the nominal fee that most providers ask for the SMS redirection services meant for paying businesses — not hackers. The company that provided these services in the case of Cox has claimed it has fixed the exploit but there are several others that have not. And, funnily, some of these companies know about the exploit yet they blame CTIA, the trade organization for the wireless industry in the US. Although CTIA told Motherboard that it had “no indication of any malicious activity involving the potential threat or that any customers were impacted.”
And this is a horrifying situation. Imagine the hacker is able to receive OTPs for the transactions for various authentication-enabled activities and your accounts are no longer accessible to you because their password was reset. Or worse, imagine the hacker logs into your WhatsApp account using OTP and accesses your chats. Motherboard’s Cox said the exploit affected his WhatsApp, Bumble, and Postmates accounts where the hacker managed to log in and screenshot the content. The hacker could blackmail you into paying ransom for these screenshots.
Just to avoid being a victim of such mishaps, it is advised that you do not rely much on SMS services. For two-factor authentication (2FA), it is better to use authenticator apps such as Google Authenticator or Authy. And for bank-related OTPs, it is better to have your email address registered with your account to receive the OTPs. Although, without your banking details, the OTP will not be of much use to the hacker, anyway.