IMSI Catchers Makes SMS Untrusted
IMSI-bitsy little Stinger
The eavesdropping device known as the International Mobile Subscriber Identity- catcher, or IMSI-catcher has rendered the Short Messaging System (SMS or Text) service a veritable sea of peril. These mobile and portable devices which presents a fake mobile phone as a legitimate one to the genuine mobile base station or cell site and at the same time presents a fake base station as a legitimate one to the genuine mobile phone. Lost you there right?
*Would not be delving into the technical details as the interwebz already has a lot of those for your later reference.
Short story - they fake a mobile phone and a cell site and in doing so performs a Man-in-the-middle attack (MITM in Security parlance). They place themselves in-between the phone and the cell site and hence able to intercept and collect information as well as send messages to either parties.
Did i mention that some models can fit in a bag while others in a car? Good luck in Chasing much less finding them!
Vanity is my Favorite Sin
The result is utter chaos as the once 'trusted' vanity numbers and names that were sold by Telcos and used by companies can now be copied and presented to the victim. After getting used to these in previous valid interactions, the poor hapless user succumbs to special offers, freebies, account and credential issues and essentially anything that can illicit interest or duress for you to click the accompanying (Phishing/Fake Website) link.
These, along with clever manipulations like telling you that you have exceeded the number of login attempts (regardless of the fact that you entered them correctly), they will initiate an SMS OTP 2FA in the guise of you validating your identity and then capturing these. They then use this to register another device and effectively lock you out and complete the account takeover process - Game Over.
Check the link? Nah.
The URLs in the SMS messages are actually dead giveaways as they are usually not the domains of the legitimate companies, but again you wouldn't think twice as these SMS messages comes from the same vanity number or name that you have been comfortable with as you have been dealing with them in the past.
Bottom line - a LOT of People have now been duped. Luring them to a fake website to initiate the phishing attack and complete the take over process.
Telcos to their credit have disabled links in their SMS service but this is now beyond that as the SMS messages do not even come from them. In the same token, companies who had their vanity numbers mimicked wont be able to recognize if a transaction is fraudulent as the perpetrators already had transferred the credentials to their new device.
Woe is the end-user. What Now?
The obvious way to prevent this is to NEVER CLICK A LINK in an SMS Messages EVER. JUST DONT. No IFs and BUTs about it but it's just how it's going to be from now on. Pity the excellent real-time marketing tool and instantaneous notification - You just can't trust SMS/Texting anymore. Now you have to be wary of all SMS messages including Emergency Notifications - May Link ba ito? (Is there a Link here?)
What you know and What You have.. needs more
Tis' the time to add 'What you Are' to the MFA (Multi-factor Authentication) mix permanently and not as an option. Biometrics would have to be added to the mix by DEFAULT or until Mobile communication technology finds a way to create a better mutual authentication scheme that cannot be subverted or cracked by the IMSY-bitsy-stingers.
