Two factor authentication, and OTP SMS verification in particular, is the most popular way through which transactions are validated in India. From logging in to bank and digital payment accounts, to approving online transactions or transferring money between bank accounts, these OTP messages are the lifeline of most online transactions in the country. Over time, however, plenty of security researchers have raised red flags over the security concerns that OTP verification in two factor authentication procedures represent. This has yet again been highlighted in the works of an ethical hacker, who could silently tap the phone of a journalist – all with minimal effort and spending just over Rs 1,000.
Vice journalist Joseph Cox, in partnership with the hacker who goes under the pseudonym Lucky225, revealed in a report that all it took a willing attacker was just that – the intent to cause harm or steal from another user. To initiate this hack, Lucky225 simply subscribed to a trial plan offered by a company called Sakari. Subscribing to the plan cost him $16 (about Rs 1,200), following which all that he needed to do was fill up a Letter of Authorisation (LoA) with arbitrary and fake information, and in just a few minutes’ time, he had access to all incoming and outgoing SMS messaging features that belonged to the phone number of Cox.
OTP swap scams in India?
The same, as it so happens, may also be applicable in India. An ex cyber security researcher who spent the early years of his career as a hacker in India told News18 that not only are such services very common, but can be easy enough to use even for those who do not have an advanced knowledge of technology. However, he doubts that SMS overriding is being actively used in commonplace phishing campaigns in India, because this process typically requires more investment than the generic bulk scam calling in India. Instead, it is generally used in malicious smear campaigns in cases such as personal vendetta between two parties. News18 could not confirm yet if such OTP scams are used too widely in the phishing network in India. Two independent security researchers that News18 spoke to said that they did not have active knowledge of this process being used in scams across India right now.
What’s alarming to note here is that, in comparison to SIM swap and other related cyber attacks where a user loses access to his network and is therefore alerted to unusual activity on his phone, the Sakari process tried out by Lucky225 and Cox in the Vice report had no red flags raised. The latter still had network coverage on his phone, and given that we no longer primarily communicate via SMS messaging, many may not even notice that they have stopped receiving SMS messages. That’s exactly what happened with Cox. Sources that News18 spoke to said that this is also how it works in India as well.
How the hack worked
In this hack, when Lucky225 filled up the LoA with Sakari and entered Cox’s number, his SMS inbox service was overridden by Sakari. As a result, all of Cox’s SMS messages were simply rerouted to Lucky225’s inbox. This not only gave the latter access to banking OTPs belonging to Cox, but also login OTPs of popular services such as WhatsApp and Bumble, among others. This also allowed him to log in to these services without Cox’s authorisation, and text his contacts by pretending to be him.
There is no standardised global protocol for SMS forwarding and rerouting, as a result of which these hacks become increasingly possible.
Sakari, as it so happens claims to be a business bulk messaging management service, the likes of which there are plenty. It essentially allows businesses to give access to their private numbers to send messages on behalf of authorised work numbers, therefore streamlining operation. On the downside, this also apparently means that the number transfer happens without any middle party – such as the owner of both the numbers in question – authorising this number swap. This is where all the problem happens. Sakari is a smaller organisation which does not have number reassignment permission of its own, but uses the same from another company, Bandwidth. The latter, in turn, authorises its traffic routing via NetNumber – which owns an Override Service Registry database.
The hierarchy of companies will differ based on which part of the world you are in, but the essential structure of such number assignment and reassignment operations remain the same globally. Karsten Nohl of Security Research Labs told Vice that the real problem here is that there is no standardised global protocol for SMS forwarding and rerouting, as a result of which operators and their SMS hub management equations keep differing.
OTP SMS should be discontinued
With a lack of a verification layer due to the way bulk messaging works, SMS overriding hacks can (and should) be a final nail in the coffin for two-factor authentication based on OTP SMS services. Combinations such as setting a fixed two-factor password (such as how WhatsApp works), or delivering the same via email in combination with such passwords, are far safer than OTP SMS messages, and calls for an overhaul of most login procedures that most services undertake.