SMS: Secure Messaging… Sometimes.
Warnings about taxis are commonplace, and pretty sensible fare, if you’ll forgive the pun. Make sure it’s licenced, check who’s driving is on the ID, keep tabs on where they’re actually taking you, that kind of thing. However, you can now add SMS fraud to the list. Uber users in the UK are being warned about a scam whereby they receive a text informing them that their trip has been “booked for 217 GBP” and then giving them a link to click on if they did not in fact book this trip.
The unwitting individuals who do click the link are then sent to a fake payment site that will collect their bank details, to be used or sold on as the fraudsters like. It’s hardly the first such SMS attack in recent times. Apple themselves had their customers targeted in a similar scam which informed users their account had been frozen, and then attempted to trick them into sharing their credit card and billing information.
So SMS is clearly a risk, with it being alarmingly easy to send someone a spoof message, and hope they follow the instructions, to their peril. But the reality is that SMS is far more vulnerable than those incidents imply. Social engineering can render it useless as part of a two-factor authentication process. The factors in question can be simplified to ‘something you know’ such as a fact, and ‘something you have’ such as your phone. As the security researcher and forensics expert Jonathan Zdziarski has pointed out, with the ability to send fake, unauthenticated messages “SMS has turned that ‘something you have’ into ‘something they sent you.'” Which rather makes a mockery of the two-factor part of the equation. Add to that the fake ‘stingray’ cell phone towers, and the ongoing debacle that is the SS7 protocol and the message is clear, (whether it got intercepted on the way or not). The days of SMS as a trusted means of communication aren’t simply numbered, they’re over. However, ludicrous though it may seem, the use of SMS remains commonplace across numerous industries, including those that really should know better, such as banking. Every time they rely on this outdated communication they put themselves and their customers at risk – needlessly. The obvious response is to engage with a form of mobile messaging that offers real end-to-end encryption, with security at its heart. But don’t make the mistake of assuming that all such platforms and apps are created equal. In my next post I’ll be taking a look at some of those touting themselves as secure and trusted, and shining a light on a few of the ways they’ve been considerably less that watertight.