Berlin-based security researcher Sébastien Kaul discovered that Voxox (formerly Telcentris) — a giant, San Diego-based SMS gateway company — had left millions of SMSes exposed on an Amazon cloud server, with an easily queried search front end that would allow attackers to watch as SMSes with one-time login codes streamed through the service.
It’s a timely reminder that SMS sucks. It is not secure, and should not be used for two-factor authentication messages (2FA). Weak 2FA is behind an epidemic of number-porting scams that are bootstrapped to steal your online accounts, your cryptocurrency, and your email.
Authenticator apps are much more secure (which is not to say they are perfect — and security economics predicts that as they are used to defend more and more, they will be subject to ever-better-resourced attacks, so watch this space).
Each record was meticulously tagged and detailed, including the recipient’s cell phone number, the message, the Voxox customer who sent the message and the shortcode they used.
Among our findings from a cursory review of the data:
We found a password sent in plaintext to a Los Angeles phone number by dating app Badoo;
Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
Many messages included two-factor verification codes for Google accounts in Latin America;
A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
We found a shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
We also found messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
Yahoo also used the service to send some account keys by text message;
And, several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.
A leaky database of SMS text messages exposed password resets and two-factor codes [Zack Whittaker/Techcrunch]
(via The Verge)
Researchers at NYU and U Michigan have published a paper explaining how they used a pair of machine-learning systems to develop a “universal fingerprint” that can fool the lowest-security fingerprint sensors 76% of the time (it is less effective against higher-security sensors).
A year ago, the Norwegian Consumer Council commissioned a study into kids’ smart watches, finding that they were incredibly negligent when it came to security and incredible greedy when it came to surveillance: a deadly combination that meant that these devices were sucking up tons of sensitive data on kids’ lives and then leaving it […]
Data breaches keep happening, they keep getting worse, and yet companies keep collecting our data in ever-more-invasive ways, subjecting it to ever-longer retention, and systematically underinvesting in security.
Anyone can learn piano, but don’t tell that to the bored kids who had to endure hours of “Chopsticks” and similar drills in their music lessons. Today, there’s a better way. Pianoforall lets you jump right in to discover what makes music fun, leaving you eager to learn more. In a simple but innovative approach, […]
There are two times you never want to just “eyeball” it: Conducting brain surgery and matching shades of paint for your walls. Whether you’re painting or repainting, make sure you’re never just “close enough” to the color you want. Not when the Nix Mini Color Sensor can scan and match any color perfectly. Small enough […]
In photography as in film, all the real artistry is in post-production – increasingly so, with the new possibilities cropping up in digital imaging. If you’re ready to get serious about your photography, may we suggest HDR Projects 2018 Pro. As working photographers can tell you, this imaging software can help you re-imagine even the […]
Site Search 360 Custom Site Search