Blog

Millions of people imperiled through sign-in links sent by SMS

Millions of people imperiled through sign-in links sent by SMS
25 Jan

SMS-Based Authentication: A Ticking Time Bomb for Security and Privacy

Researchers from the universities of New Mexico, Arizona, Louisiana, and the firm Circle have sounded the alarm on a critical vulnerability in SMS-based authentication, which puts millions of people at risk of identity theft and financial fraud. As they noted, “We argue that these attacks are straightforward to test, verify, and execute at scale,” and can be carried out using “consumer-grade hardware and only basic to intermediate Web security knowledge.”

The Insecurity of SMS Messages

SMS messages are sent unencrypted, making them a treasure trove for hackers and cybercriminals. In the past, researchers have uncovered public databases of previously sent texts that contained authentication links and private details, including people’s names and addresses. For instance, a 2019 discovery revealed millions of stored sent and received text messages over the years between a single business and its customers, including usernames and passwords, university finance applications, and marketing messages with discount codes and job alerts.

A Limited View into the Problem

Despite the known insecurity, the practice of sending authentication links via SMS continues to flourish. To understand the scope of the issue, the researchers viewed public SMS gateways, which are ad-based websites that let people use a temporary number to receive texts without revealing their phone number. Examples of such gateways can be found here and here. By analyzing these gateways, the researchers collected 322,949 unique SMS-delivered URLs extracted from over 33 million texts, sent to more than 30,000 phone numbers.

Exposing Critical Personally Identifiable Information

The researchers found numerous evidence of security and privacy threats to the people receiving these messages. Of those, messages originating from 701 endpoints sent on behalf of 177 services exposed “critical personally identifiable information.” The root cause of the exposure was weak authentication based on tokenized links for verification. Anyone with the link could then obtain users’ personal information—including Social Security numbers, dates of birth, bank account numbers, and credit scores—from these services.

A Call to Action

The study’s findings are a stark reminder of the risks associated with SMS-based authentication. As the researchers noted, the threat model can be realized using consumer-grade hardware and only basic to intermediate Web security knowledge. To mitigate these risks, it is essential to adopt more secure authentication methods, such as two-factor authentication using authenticator apps or physical security keys. For more information on this critical issue, read the full report Here

Image Credit: arstechnica.com

Newer Updates That Impact Your Pet – The Dogington Post
Back to list
Older How PopWheels helped a food cart ditch generators for e-bike batteries

Leave a Reply

Your email address will not be published. Required fields are marked *