‘A Hacker Got All My Texts For $16’

An anonymous reader quotes a report from Motherboard, written by Joseph Cox: I didn’t expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me. Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. Nothing was unusual there. But the hacker had swiftly, stealthily, and largely effortlessly redirected my text messages to themselves. And all for just $16.

I hadn’t been SIM swapped, where hackers trick or bribe telecom employees to port a target’s phone number to their own SIM card. Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him. This overlooked attack vector shows not only how unregulated commercial SMS tools are but also how there are gaping holes in our telecommunications infrastructure, with a hacker sometimes just having to pinky swear they have the consent of the target.

“I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info,” said Lucky225, the pseudonymous hacker who carried out the attack, referring to a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers.

In a statement to Motherboard, Senator Ron Wyden said: “Itâ(TM)s not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Paiâ(TM)s approach of industry self-regulation clearly failed.”