This week, a stunning story from Vice revealed how easy it is for an attacker to siphon away your text messages. They don’t need access to your phone; they don’t even need your SIM card. They just need to pay a trivial sum, convince a VoIP wholesaler that they’re a reseller (also a trivial matter), and sign a form swearing that they’re allowed to route messages to your number to another.
As author Lucky225 writes on Medium:
“Up until sometime on Thursday, March 11th, 2021 NetNumber was allowing any and all wireless phone numbers to have their NNIDs reassigned or hijacked without any authorization or verification as well. Presumably while this author and other journalists were seeking comment, after a proof of concept was demonstrated, it appears they have devised a scheme to pretend this is no longer a problem by temporarily not allowing wireless numbers to be hijacked.”
[...]
Furthermore, people use VoIP numbers instead of their real wireless numbers for various services and those folks are still left vulnerable to this attack while only those who don’t care about their privacy and use their real mobile numbers are protected.”
I won’t get into the nitty-gritty of the method that can be used to route your text messages away from your phone, but the fact that it was (and is?) so easy to do, and that you don’t receive an approval query or even a notification that it’s happening, is jarring.
While I’m sure a number of these business-class text-messaging services are tightening up their security, all it takes is an attacker to find one that isn’t verifying this kind of change with the actual owner of the number and it’s goodbye, incoming text messages. And that includes authentication codes you use to verify you’re you when logging into an account on an unknown device.
We’ve said it before, and we’ll keep saying it until all sites and services finally listen: It’s not secure enough to simply use a text message, or two-step authentication, to protect one’s account from unauthorized access. Whenever possible, you should be using a dedicated two-factor authentication app that requires physical access of your hardware—typically your phone—to finish the login process for an account. Text messages are not as secure as you might think. While you might never be the victim of a text-hijacking yourself, this week’s news shows it’s far from an impossibility.
It’s a lot less likely someone will get their hands on your actual smartphone, find a way to bypass the security mechanisms you have in place (touch or facial recognition) to unlock it, get through any secondary security you’ve put onto your particular 2FA app (like a PIN), and then use that to break into your accounts. By then, they will have likely either given up, or you’ll have reset your 2FA and set it up on a new device for your critical accounts, invaliding the old codes entirely.
You shouldn’t have to sign up for a monitoring tool to alert you if, or when, your phone number’s texts are routed elsewhere. (Full disclosure: The aforementioned Medium writer is the chief information officer at one such company, Okey). However, you might just want to anyway, because there are plenty of services out there that still use text messages, and only text messages, to send you login codes.
There’s little you can do if your healthcare provider, gaming website, or another site doesn’t let you use two-factor authentication, only two-step authentication. Pick a strong, unique password, lock it down with a great password-management app, and hope for the best. Also, don’t use obvious answers for your security questions; those should also be “passwords,” and you should track them just like you would any other password.
Finally, don’t not use two-step authentication if that’s all you’ve got. While it’s not 100% secure, it’s a lot better to have it enabled and force someone to jump through extra hoops to break into your account. Don’t just rely on your login+password combination if you can throw a little extra security into the mix.
There are also more extreme approaches, such as using a dedicated number for login codes that isn’t associated with your actual phone number at all. (Google Voice comes to mind; you can have it just email you text it receives, and you can lock down your Google account with two-factor authentication.) While that might not stop someone from randomly hijacking even that number, at least it would help keep you safe from a targeted attack. Well, safer. Isn’t security fun?
Google Play Music is on its way out, to be replaced by YouTube Music in the coming weeks. Google has made the transition easy for anyone who has ever
Even though none of us should be traveling right now, there are still plenty of people who want (or need) to get away from their home base. I start th
![Why Graphics Cards Are Even More Expensive in 2021 [Updated]](https://img.gamelinxhub.com/images/hero-image.fill.size_245x138.v1699835937.jpg)
Nvidia and AMD’s high-end graphics cards were already expensive in 2020 (if you could find them), but their prices are only going up. And we’re finall
Clubhouse must be onto something, because every other social media platform is launching its own version of their live, audio-only voice chats. Twitte
The May 2021 Pixel security update is ready, and you shouldn’t waste time installing it on your device.This month’s patch fixes 42 bugs found in Andro
Alt+Tab is one of Windows 10's best shortcuts. It allows you to not only switch between apps, but to see a preview of all your open windows so you can
Google’s latest wireless earbuds, the Pixel Buds A-Series, are a great choice for both Pixel users and Android owners who don’t want to break the bank
We can all probably agree that Siri isn’t the best smart assistant. Wouldn’t you rather use Google Assistant or Amazon Alexa? If you’re an iPhone user
We are a comprehensive and trusted information platform dedicated to delivering high-quality content across a wide range of topics, including society, technology, business, health, culture, and entertainment.
From breaking news to in-depth reports, we adhere to the principles of accuracy and diverse perspectives, helping readers find clarity and reliability in today’s fast-paced information landscape.
Our goal is to be a dependable source of knowledge for every reader—making information not only accessible but truly trustworthy. Looking ahead, we will continue to enhance our content and services, connecting the world and delivering value.
