SMS Is Garbage

Home 📂 Blog Posts

Published at: 2018-09-20 02:11:58 +0000

I got an SMS phishing attack today. After providing login credentials (I didn't provide real ones) it had a prompt to enter the "2 Factor SMS code".


Here are a few things that can, and did, go wrong with SMS messages to make this attack possible.

From Field (SMS Networks)

The spammer set the SMS From field to my phone number so it looked like it was form myself. Remember in almost every country you can choose who an SMS comes from and it doesn't need to be a phone number either, it can be an ASCII string up to 11 chars long. Twilio do some ownership verification, but that is entirely optional and no spammer would use a reputable service.

Link Previews (iMessage)

iMessage showed a very dangerous link preview, choosing to show the start of the URL instead of the end. That's much worse than just showing the text message without a link preview, because that way you could see the ridiculous domain.

One and a Half Factor Authentication ("Modern" "Security" Practice)

It is probably time to stop calling it two factor authentication if you don't include the browser's requested domain or some other out of band request information in the signing function input!

SMS codes or TOTP can be MITMed by attacks like these. This thing is written in "StackOverflow PHP" (one of my first programming languages) so I think anyone can pull off an attack like this.

WebAuthn may provide the capability for domain level information to be included but the success of BGP hijacking makes this insufficient without a serious VPN.

What Went Right (Safari)

Password AutoFill won't suggest passwords for the wrong domain.

Generated by Max Space