A Hacker Got All My Texts for $16 – VICE (2024)

I didn’t expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me.

Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. Nothing was unusual there. But the hacker had swiftly, stealthily, and largely effortlessly redirected my text messages to themselves. And all for just $16.

I hadn’t been SIM swapped, where hackers trick or bribe telecom employees to port a target’s phone number to their own SIM card. Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him. This overlooked attack vector shows not only how unregulated commercial SMS tools are but also how there are gaping holes in our telecommunications infrastructure, with a hacker sometimes just having to pinky swear they have the consent of the target.

“Welcome to create an account if you want to mess with it, literally anyone can sign up,” Lucky225, the pseudonymous hacker who carried out the attack, told Motherboard, describing how easy it is to gain access to the tools necessary to seize phone numbers.

Fortunately, Lucky225 was taking over my number and breaking into the connected accounts with my permission to demonstrate the flaw. This also doesn’t rely on SS7 exploitation, where more sophisticated attackers tap into the telecom industry’s backbone to intercept messages on the fly. What Lucky225 did with Sakari is easier to pull off and requires less technical skill or knowledge. Unlike SIM jacking, where a victim loses cell service entirely, my phone seemed normal. Except I never received the messages intended for me, but he did.

Once the hacker is able to reroute a target’s text messages, it can then be trivial to hack into other accounts associated with that phone number. In this case, the hacker sent login requests to Bumble, WhatsApp, and Postmates, and easily accessed the accounts.

“I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info,” Lucky225 added, referring to a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers. (Cyber security company Okey Systems, where Lucky225 is Director of Information, has released a tool that companies and consumers can use to detect this attack and other types of phone number takeovers).

The method of attack, which has not been previously reported or demonstrated in detail, has implications for cybercrime, where criminals often take over target’s phone numbers in order to harass them, drain their bank account, or otherwise tear through their digital lives. The attack also brings up issues around private, corporate, and national security, where once a hacker gains a foothold on a victim’s phone number, they may be able to intercept sensitive information or personal secrets.

“It’s not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai’s approach of industry self-regulation clearly failed,” Senator Ron Wyden said in a statement after Motherboard explained the contours of the attack.

“Sakari is a business text messaging service that allows businesses to send SMS reminders, alerts, confirmations and marketing campaigns,” the company’s website reads.

For businesses, sending text messages to hundreds, thousands, or perhaps millions of customers can be a laborious task. Sakari streamlines that process by letting business customers import their own number. A wide ecosystem of these companies exist, each advertising their own ability to run text messaging for other businesses. Some firms say they only allow customers to reroute messages for business landlines or VoIP phones, while others allow mobile numbers too.

Sakari offers a free trial to anyone wishing to see what the company’s dashboard looks like. The cheapest plan, which allows customers to add a phone number they want to send and receive texts as, is where the $16 goes. Lucky225 provided Motherboard with screenshots of Sakari’s interface, which show a red “+” symbol where users can add a number.

While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari’s LOA says that the user should not conduct any unlawful, harassing, or inappropriate behaviour with the text messaging service and phone number.

But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead.

Do you work for telecom or one of the other companies mentioned? Do you know anything else about this attack? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat onjfcox@jabber.ccc.de, or emailjoseph.cox@vice.com.

A few minutes after they entered my T-Mobile number into Sakari, Lucky225 started receiving text messages that were meant for me. I received no call or text notification from Sakari asking to confirm that my number would be used by their service. I simply stopped getting texts.

“Hello. This is Lorenzo,” my colleague Lorenzo Franceschi-Bicchierai wrote to the number.

“Hi Lorenzo :) – Lucky,” the hacker replied.

“As of today, you don’t know this happens,” Teli Tuketu, the CEO of Okey Systems, told Motherboard in a phone call, referring to how there is no way for the target to immediately know their text messages have been rerouted. “You don’t know these attacks happen.”

Motherboard also created an account for verification purposes, but Sakari suspended the account after contacted for comment.

It is not clear how much this method of attack is being used in the wild on mobile numbers. Karsten Nohl, a researcher from Security Research Labs who has investigated telecommunications security for years, said he had not seen it before. Tuketu said it “absolutely” is happening.

Ted Blatt, vice president of sales at Text My Main Number, a similar company to Sakari, told Motherboard in an email that “we just recently suspected suspicious activity on one of our accounts and immediately shut it down and reported this activity on our end.”

Motherboard created Bumble, Postmates, and WhatsApp accounts in part because of their reliance on SMS as either a signup or login method for user accounts, rather than, say, an email address and password (this is the case for many apps).

Eva Galperin, director of cybersecurity at activist organization the Electronic Frontier Foundation said that the demonstrated attack “underscores the importance of moving people off of SMS 2FA and, more broadly, off of ‘login with your phone number’ solutions.”

Neither Bumble nor Postmates responded to a request for comment. WhatsApp does have mitigations in place such as sending users a notification when they are logged out of their device by accessing their account from another. A WhatsApp spokesperson told Motherboard in a statement that “With so many apps relying on SMS codes, it’s critical that mobile carriers do more to protect their customers privacy and security. To stay ahead of this problem, WhatsApp has built features that notifies users and their chats when someone registers a new device. In addition, we strongly encourage turning on two factor verification, which protects accounts with a special user-created pin that helps prevent others from using your WhatsApp number.”

AT&T, T-Mobile, and Verizon acknowledged requests for comment, but then directed Motherboard to CTIA, a trade association representing the wireless industry. CTIA said in a statement that “After being made aware of this potential threat, we worked immediately to investigate it, and took precautionary measures. Since that time, no carrier has been able to replicate it. We have no indication of any malicious activity involving the potential threat or that any customers were impacted. Consumer privacy and safety is our top priority, and we will continue to investigate this matter.”

The “carrier doesn’t matter,” Lucky225 said, regarding which carriers the attack can work on. “It’s basically the wild west.”

As for how Sakari has this capability to transfer phone numbers, Nohl from Security Research Labs said “there is no standardized global protocol for forwarding text messages to third parties, so these attacks would rely on individual agreements with telcos or SMS hubs.”

In Sakari’s case, it receives the capability to control the rerouting of text messages from another firm called Bandwidth, according to a copy of Sakari’s LOA obtained by Motherboard. Bandwidth told Motherboard that it helps manage number assignment and traffic routing through its relationship with another company called NetNumber. NetNumber owns and operates the proprietary, centralized database that the industry uses for text message routing, the Override Service Registry (OSR), Bandwidth said.

When asked for comment, NetNumber also pointed Motherboard to the CTIA statement.

The flow of the capability to reroute text messages is similar in some ways to the cell phone location data market, where telecommunications giants such as T-Mobile, AT&T, and Sprint sold access to their customers location data to a series of aggregators, who then in turn resold that access to other companies. And along with that transfer of the location data access, each company also pushed the need to obtain consent down to the company below it, resulting in wide room for abuse. In 2019, Motherboard reported on how we paid a bounty hunter source $300 to gain the location of a phone to demonstrate the issue, with the target phone not receiving any sort of text message or voice call to confirm they had provided consent to be tracked. Verizon introduced its own consent mechanism where it forced at the carrier level a targeted phone to receive a text message to confirm the owner consented to sharing their location data.

That practice of delegating the need to obtain consent to other companies also applies to this latest issue of text messaging routing. In this case, Sakari asked Lucky225 to sign an LOA to confirm they had the authority to take control of Motherboard’s phone number, but at the time Sakari did not send any sort of message to the target number to confirm whether the user consented to the transfer. Bandwidth said it was the responsibility of the retail service provider, which in this case was Sakari, to obtain the consent.

“While text message forwarding might have legitimate applications for businesses, the particular implementation underpinning this attack is appallingly weak in security and data privacy. Telcos have different ways of authenticating their customers, obviously including text messaging. The fact that none of these authentication methods are used in this case to get consent from the owner of a forwarded phone number is shocking,” Nohl added.

Adam Horsman, co-founder of Sakari, told Motherboard in an email “Sakari takes privacy and security extremely seriously, and we already go above and beyond industry standards. Our success depends on us being a trusted platform with zero tolerance for fraud or spam,” and added that on top of the LOA, Sakari has “a robust process for verification on top of this, including validating each client’s business email address, manual review by a team member whenever an account requests an upgrade to a paid plan, and confirming a genuine payment method.”

“We have not seen any previous instances of intentional abuse of text-enablement, and your researcher played the role of a bad actor within a genuine company, which is an unusual vector of attack. But we appreciate you bringing this to our attention, and have updated our hosted messaging process to catch this in the future,” he continued. Malicious insiders or customers are a common, established means of attack, whether that is rogue employees or clients abusing the access they’ve been granted.

Horsman added that, effective immediately, Sakari has added a security feature where a number will receive an automated call that requires the user to send a security code back to the company, to confirm they do have consent to transfer that number. As part of another test, Lucky225 did try to reroute texts for the same number with consent using a different service called Beetexting; the site already required a similar automated phone call to confirm the user’s consent. This was in part “to avoid fraud,” the automated verification call said when Motherboard received the call. Beetexting did not respond to a request for comment.

Horsman said Sakari will also audit all existing text-enabled numbers “across all Sakari accounts to make sure there are no other instances.”

“SMS is a hugely powerful communication medium, and as it continues to dominate the communication landscape, we agree there are improvements needed by the industry—both carriers and resellers—to improve security and trust. Unlike voice, porting messaging privileges is not as regulated and as a result is not standardized for industry participants. For example, it often does not include a final step of the losing carrier review and verification before a port is made. Industry experience has demonstrated that regulation from the FCC on messaging porting would greatly improve the security and effectiveness of the ecosystem,” Horsman added.

In a statement, FCC Acting Chairwoman Jessica Rosenworcel said “If true, these reports about newly discovered smartphone vulnerabilities are alarming. Consumers rely on their smartphones for more activities and sensitive data than ever before. We need to better understand this potential vulnerability and make sure we are taking the right steps to protect and educate consumers.”

Senator Mark Warner told Motherboard in a statement that “While policymakers have paid considerable attention to the ways in which social media platforms have been exploited by bad actors, relatively little attention has been paid to the ways in which bad actors readily exploit vulnerabilities and broken processes in the wireless sector to further fraud, facilitate cyber-crime, and engage in harassment and abuse. We see over and over again that technologies are not being evaluated for their susceptibility to abuse and exploitation by bad actors. This new report raises serious concerns about the degree to which the wireless industry has prioritized this vector for fraud, abuse, and cyber-crime.”

Okey Systems’ monitoring tool works by creating a fingerprint of a user’s phone number, including the carrier it is connected to and its SMS routes, Tuketu, the company’s CEO, said. The company has also sought access to telecoms’ SIM databases, meaning they could monitor for changes there too.

With these observation points, when something changes, either by a hijack like in this attack or a SIM swap, Okey Systems should be able to detect and warn the user by a text message sent to another number or their email address. Tuketu said the company is also adding support for notifications via Telegram, Keybase, and Signal.

“We didn’t want to disclose it until we had some solutions to address it,” Tuketu said. “We did not want to charge for them, because that just doesn’t seem right.” The consumer version of Okey Monitoring is free to use, and the company plans to make money in other ways like corporate partnerships, he said.

But Sakari is only one company. And there are plenty of others available in this overlooked industry.

Tuketu said that after one provider cut-off their access, “it took us two minutes to find another.”

Lorenzo Franceschi-Bicchierai contributed reporting to this article.

Update: This piece has been updated to include a response from NetNumber. Originally, Tuketu said Okey Systems has gained access to AT&T’s SIM database. Tuketu misspoke; instead the company has sought access to such databases.

Subscribe to our cybersecurity podcast CYBER,here.

A Hacker Got All My Texts for $16 – VICE (2024)

FAQs

Can hackers get into your phone by text messages? ›

Your phone can be hacked via text messages. Attackers can send you malicious links or attachments in a text that, once clicked or downloaded, can install malware on your phone. This can result in unauthorized access to your device or data theft.

Can you be hacked by texting back? ›

In short, no. You can't get hacked by simply answering your phone. However, you can fall prey to “vishing,” which is the verbal equivalent of phishing. Fraudsters call, impersonating bank officials, to create a sense of urgency in hopes of getting you to sign into your account.

Can someone access my text messages from another device? ›

Spyware and monitoring apps need elevated permissions to access your SMS messages. You can check whether any apps have permission to see your SMS messages by going to the Permission manager in your Android settings. To check and disable SMS permissions on an Android device: Open Settings > Privacy > Permission manager.

Can someone read my text messages without my phone? ›

Using mSpy to Track Messages and Chats

Are all your attempts to find out the source of the problem in vain? Then you should probably think about using parental monitoring software. With a parental control app like mSpy, you can easily read someone's text messages without their phone after you set it all up.

What are the signs that your phone is hacked? ›

Signs of a hacked phone include reduced battery life, higher data usage, unusual device behavior, new apps, locked accounts, or receiving 2FA codes.

Can someone steal my information through a text message? ›

You can't get hacked by simply replying to a text. However, engaging with a hacker in any way will make it more likely that you get hacked. They'll find a way to fool you and make you click a link, which is what leads to you getting hacked.

Can someone hack my bank account with my phone number? ›

While it is highly unlikely for someone to directly hack your bank account solely based on having your phone number, it's crucial to remain vigilant about account security.

What happens if you reply to a hacked message? ›

Replying to a message from someone whose Messenger was hacked doesn't mean you will get hacked. However, you may stand a higher chance of receiving more unsolicited messages in the future. Additionally, your chances of having your account compromised increase the moment you start interacting with questionable messages.

How can I know if my messages are hacked? ›

Here are the most common signs of phone hacking:
  • Pop-ups. If you're seeing a lot of pop-up ads, your phone could have an adware infection. ...
  • Unrecognized texts or calls. ...
  • High data usage. ...
  • High battery drain. ...
  • Hot phone. ...
  • Reduced performance. ...
  • Websites look strange. ...
  • Unexpected charges on your phone bill.
Jan 24, 2024

Can I tell if someone is reading my text messages? ›

Fortunately, there is a way to find out if someone has read your text message, and it is called, “read receipts”. Read receipts are notifications that tell you when the recipient of your message has opened and read it.

Are my texts being monitored? ›

Dial *#21# and hit the green call button. Note: This doesn't work with every carrier and every model, so results may vary. You'll get a screen with details on the activity of your calls, SMS messages and even faxes. If they are listed as Disabled, you're OK.

Can someone send text messages from my phone without me knowing? ›

It is possible for someone to send a text message impersonating you without having possession of your phone. This is known as SMS spoofing, and it is a technique used by cybercriminals to send fraudulent text messages.

Can my text be read by someone else? ›

Yes, it's definitely possible for someone to spy on your text messages and it's certainly something you should be aware of – this is a potential way for a hacker to gain a lot of private information about you – including accessing PIN codes sent by websites used to verify your identity (such as online banking).

Can someone see everything I text and do on my phone from their phone? ›

There is a way someone can monitor your mobile phone without ever touching the actual device. Spyware (a portmanteau of 'spying software) and stalkerware can be installed on a phone without the owner's knowledge, allowing an attacker to steal information, track activity, and more.

Can a scammer get your info if you reply to a text? ›

In some cases, yes. Replying to a smishing message can allow malware into your phone or land you some unwanted charges.

Can just opening a text message be harmful? ›

The short answer is a resounding no. Just opening a text message, even a suspicious one, won't directly infect your device or compromise your data. However, the danger lies in what you do after you open the message.

Is it safe to reply to unknown text messages? ›

Don't reply to text messages from unknown numbers.

It could lead to a scam. Delete and report them using your phone's “report junk” option or forwarding unwanted texts to 7726 (SPAM) and unwanted emails to your email provider.

Top Articles
9 Best Weed Killers for Lawn Maintenance Made Easy
Our 6 Best Weed Killer Picks (2024)
Promotional Code For Spades Royale
Best Big Jumpshot 2K23
Nco Leadership Center Of Excellence
Chatiw.ib
Tj Nails Victoria Tx
Fusion
Soap2Day Autoplay
Category: Star Wars: Galaxy of Heroes | EA Forums
Costco in Hawthorne (14501 Hindry Ave)
Bustle Daily Horoscope
FIX: Spacebar, Enter, or Backspace Not Working
fltimes.com | Finger Lakes Times
Moparts Com Forum
Non Sequitur
Grasons Estate Sales Tucson
Truck Trader Pennsylvania
Mail.zsthost Change Password
Aldi Sign In Careers
Craiglist Kpr
Ess.compass Associate Login
Account Suspended
Pecos Valley Sunland Park Menu
Gazette Obituary Colorado Springs
Uncovering The Mystery Behind Crazyjamjam Fanfix Leaked
Why Are Fuel Leaks A Problem Aceable
Suspiciouswetspot
What Equals 16
Criterion Dryer Review
Ticket To Paradise Showtimes Near Cinemark Mall Del Norte
Intel K vs KF vs F CPUs: What's the Difference?
2004 Honda Odyssey Firing Order
6465319333
Utexas Baseball Schedule 2023
Vistatech Quadcopter Drone With Camera Reviews
10 Most Ridiculously Expensive Haircuts Of All Time in 2024 - Financesonline.com
Why The Boogeyman Is Rated PG-13
Mandy Rose - WWE News, Rumors, & Updates
Walgreens Agrees to Pay $106.8M to Resolve Allegations It Billed the Government for Prescriptions Never Dispensed
Skyward Marshfield
Actor and beloved baritone James Earl Jones dies at 93
Ladyva Is She Married
ACTUALIZACIÓN #8.1.0 DE BATTLEFIELD 2042
Todd Gutner Salary
Aznchikz
552 Bus Schedule To Atlantic City
Frank 26 Forum
Metra Union Pacific West Schedule
Predator revo radial owners
Bunbrat
Latest Posts
Article information

Author: Aracelis Kilback

Last Updated:

Views: 6273

Rating: 4.3 / 5 (44 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Aracelis Kilback

Birthday: 1994-11-22

Address: Apt. 895 30151 Green Plain, Lake Mariela, RI 98141

Phone: +5992291857476

Job: Legal Officer

Hobby: LARPing, role-playing games, Slacklining, Reading, Inline skating, Brazilian jiu-jitsu, Dance

Introduction: My name is Aracelis Kilback, I am a nice, gentle, agreeable, joyous, attractive, combative, gifted person who loves writing and wants to share my knowledge and understanding with you.