A security researcher, who uses the pseudonym Lucky225, demonstrated how unlucky someone could be if their text messages were hacked.
In partnership with Joseph Cox, a journalist from Vice, Lucky, with Cox’s permission, showed how easy it was to reroute his text message and in turn, gain access to many of his personal accounts.Cloud Based Texting ServiceThis was done by signing up for a service provided by a company called Sakari, which provides a cloud-based text messaging service that “allows businesses to send SMS reminders, alerts, confirmations, and marketing campaigns.” The least expensive service plan they offer is $16, which Lucky signed up for using Joseph’s number.
This demonstration reveals gaps in security for SMS messaging which has been widely neglected in the world of cybersecurity.After Joseph’s texts were rerouted, he explained that he was not aware his messages had even been intercepted, and his phone gave no warning to what was happening.
The texts intended for him were never received, and Lucky225 received them instead.
In addition to Joseph’s texts, Lucky225 was able to access to his WhatsApp, Facebook, and other personal accounts by authenticating with the texts.The co-founder of Sakari, Adam Horsman, explains the company has “not seen any previous instances of intentional abuse of text enablement…SMS is a hugely powerful communication medium, and as it continues to dominate the communication landscape, and there are improvements needed by the industry – both carriers and resellers – to improve security and trust.”Are Text Messages Secure?Many online accounts are requiring users to set up a phone number for Multi-Factor Authentication to login in the account.
This practice is widely incorporated in all different types of accounts such as banks, social media, emails, and more.