A hacker recently pointed out that a feature specific to Apple’s iOS operating system leaves a major vulnerability with text messaging where receivers of the text can be misled into believing it came from another party. While this security flaw can encourage phishing attacks via text messages it also has implications for SMS banking, SMS verification and other text message based services.
A white hat hacker and iOS security researcher known as pod2g discovered that Apple only shows the Reply To field to receivers when opening a text message. The originating phone number of a text message is obtained when a message is sent, but the sender can also add an optional User Data Header allowing them to input a different Reply To field. Since the inception of iOS Apple has only displayed the Reply To number which presents a significant security flaw as receivers may trust a message, ultimately clicking on a malicious link or submitting sensitive information, believing it came from a trusted source.
SMiShing, or phishing conducted via SMS, has persisted for several years. Text messages hosting links to sites that install mobile malware, or messages that use scare tactics and trickery so the receiver provides sensitive information, have already affected many consumers. Exploiting this vulnerability the sender could input the phone number of a financial institution, merchant, friend or family member and the receiver may believe the malicious text came from this trusted source. With this vulnerability now known, SMiShing attacks could be on the rise.
This security flaw may not only lead to more SMiShing attacks, but also a reduction in security and trust with SMS-based services overall. Many consumers receive banking alerts via SMS, such as when they are nearing credit limits or place a transaction over a certain dollar amount. As fraudsters try to impersonate financial institutions with such alerts they can provide fake phone numbers to call or sites to visit so consumers can hand over sensitive information under the guise of verifying or preventing a bogus transaction. Many online businesses use SMS as a means for verification such as with issuing a PIN via text for the consumer to later provide or by requiring the receiver to respond to a message for verification of a purchase or event. As consumers receive SMiShing scams impersonating bank text alerts and SMS based verification methods it can undermine the perceived security and benefit of these services and ultimately lead to reduced use of these services. Consumers may need to scrutinize text messages similar to how they should be scrutinizing emails: always on the lookout for phishing scams, not blindly following links, and not replying with sensitive information over this medium of communication.
For more information: