T-Mobile, AT&T, and Verizon have closed an SMS hijacking loophole
You might’ve read a couple of news pieces from a couple of weeks back on a scary kind of SMS hijacking attack that was also scarily easy to perpetrate by anyone. Basically, using a service from a company called Sakari, meant to help businesses do SMS marketing, can allow you to take over someone’s number and redirect their SMS text messages to you: no questions asked, the victim doesn’t even get a notification, and the service’s cheapest plan that allows you to do this is just $16. This report from Motherboard surfaced a gigantic loophole: if you’re using something that uses text messages as an authentication method, all a hacker had to do was to pay $16 to reroute your messages. You can now rest easy, though, as T-Mobile, AT&T, and Verizon have all patched this loophole.
This was announced by Aerialink (via Motherboard), a communication company that helps route text messages, yesterday. The announcement itself reads that “the Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their respective wireless numbers,” adding that this change is industry-wide and affects all SMS providers in the U.S. ecosystem, including all three major U.S. carriers: AT&T, T-Mobile, and Verizon, as well as operators that rely on these three companies’ cell infrastructure.
The official announcement then goes on to add that these three companies have “reclaimed overwritten text-enabled wireless numbers industry-wide” and that, as a result, “wireless numbers which had been text-enabled as BYON no longer route messaging traffic through the Aerialink Gateway,” referring to the “Bring Your Own Number” feature most carriers have to allow you to switch cell providers without getting a new phone number. This means that wireless BYON numbers won’t route text messages through the Aerialink Gateway anymore. Most of these changes also mean that companies that provide these rerouting services like Sakari will likely not be able to provide these services normally anymore.
The surfacing of this loophole requires a serious reworking of how SMS text messages are routed through carriers, and we’re glad to see this issue being addressed. Still, the best course of action is to not rely on SMS as your go-to two-factor authentication option: apps that provide one-time passcodes such as Authy and Google Authenticator, and even more secure methods such as hardware keys, are way more secure options to keep your online accounts secure as we move forward into the Internet era.