Reviews

Millions of people imperiled through sign-in links sent by SMS

By: Chaim Potok

Date:

Share:

Millions of people imperiled through sign-in links sent by SMS

[ad_1]

Millions of people imperiled through sign-in links sent by SMS

“We argue that these attacks are straightforward to test, verify, and execute at scale,” the researchers, from the universities of New Mexico, Arizona, Louisiana, and the firm Circle, wrote. “The threat model can be realized using consumer-grade hardware and only basic to intermediate Web security knowledge.”

SMS messages are sent unencrypted. In past years, researchers have unearthed public databases of previously sent texts that contained authentication links and private details, including people’s names and addresses. One such discovery, from 2019, included millions of stored sent and received text messages over the years between a single business and its customers. It included usernames and passwords, university finance applications, and marketing messages with discount codes and job alerts.

Despite the known insecurity, the practice continues to flourish. For ethical reasons, the researchers behind the study had no way to capture its true scale, because it would require bypassing access controls, however weak they were. As a lens offering only a limited view into the process, the researchers viewed public SMS gateways. These are typically ad-based websites that let people use a temporary number to receive texts without revealing their phone number. Examples of such gateways are here and here.

With such a limited view of SMS-sent authentication messages, the researchers were unable to measure the true scope of the practice and the security and privacy risks it posed. Still, their findings were notable.

The researchers collected 322,949,000 unique SMS-delivered URLs extracted from over 33 million texts, sent to more than 30,000 phone numbers. The researchers found numerous evidence of security and privacy threats to the people receiving them. Of those, the researchers said, messages originating from 701 endpoints sent on behalf of the 177 services exposed “critical personally identifiable information.” The root cause of the exposure was weak authentication based on tokenized links for verification. Anyone with the link could then obtain users’ personal information—including social security numbers, dates of birth, bank account numbers, and credit scores—from these services.

[ad_2]

Source link

Chaim Potok
Chaim Potok

━ more like this

Business

Sends shares Q1 2026 business update and product progress

0
Sends reported Q1 2026 updates sharing news on digital cards, app redesign, ClearBank integration, and fintech industry recognition. Sends, a fintech platform operated by Smartflow...
Reviews

We swipe our phones all day, and scientists just ranked which ones are the most tiring

0
We all know staring at your phone for hours isn’t great for mental health. But what about your fingers? Previously, researchers couldn’t measure...
Gear

Two suspects have been arrested for allegedly shooting at Sam Altman’s house

0
OpenAI CEO Sam Altman's house may have been the target of a second attack after San Francisco Police Department arrested two suspects for...
Reviews

You Can Soon Buy a $4,370 Humanoid Robot on AliExpress

0
Listing consumer electronics on the internet's large ecommerce marketplaces is a key step in “democratizing” the products, allowing them to be purchased by...
Gaming

Retro Rewind re-creates the glorious drudgery of working a ’90s video store

0
spot_img
Previous article
Forget the watch, Apple’s AI Pin might be its next wearable move
Next article
Judge orders stop to FBI search of devices seized from Washington Post reporter

Tech Reader is a Tech News magazine, publishing all about technology, gears, apps, mobile and reviews. Take your time and immerse yourself in this amazing experience!

━ about

━ follow us

━ subscribe

© Tech Reader - All rights reserved.