The attack uses text message management services targeting companies to silently forward text messages from the victim to the hackers, giving them access to any two-factor authentication codes or login links that are sent via the text message.
Sometimes the companies providing the service do not send any type of message to the number that is being forwarded, either to request permission or even to notify the owner that the SMS will now be sent to someone else.
Using these services, attackers can not only intercept incoming text messages, but can respond to them as well.
Someone succeeded in carrying out the attack on Joseph Cox, Motherboard’s correspondent, and this cost the attacker only $ 16.
And when Cox contacted other companies that offer SMS forwarding services, some of them reported that they had seen this type of attack before.
The specific company Motherboard used has reportedly fixed the loophole, but there are several others similar to it, and no one appears to hold the companies accountable.
Hackers have found numerous ways to exploit SMS and cellular systems to gain access to other people’s SMS text messages, but with SMS forwarding it can take a long time before you notice that someone else is receiving your messages.
The primary concern of SMS attacks is the security implications of your other accounts.
If the attacker was able to obtain the password-reset link or code sent to your phone number, he would be able to access it and gain access to your account.
This attack highlights that SMS should be avoided for anything related to security, and it is best to use an app like Google Authenticator or Authy for two-factor authentication.
Some password managers even have built-in two-factor authentication support, like 1Password, or many other free managers.
However, there are still services and companies that use text messaging, such as the banking industry.