Re: Phising via forging the "from" in an SMS message.

Liste des GroupesRevenir à cm android 
Sujet : Re: Phising via forging the "from" in an SMS message.
De : V (at) *nospam* nguard.LH (VanguardLH)
Groupes : comp.mobile.android
Date : 24. Nov 2024, 04:03:11
Autres entêtes
Organisation : Usenet Elder
Message-ID : <s31odbc8uyue$.dlg@v.nguard.lh>
References : 1
User-Agent : 40tude_Dialog/2.0.15.41
"Carlos E.R." <robin_listas@es.invalid> wrote:

Hi,
 
Imagine you normally get SMS messages from the bank, and the from is not
a number but a name:
 
   BANK OF ME
   Date: now.
   You made successfully a payment of 10€ to Mr B.
 
And you have a conversation. You trust those messages in your SMS
application. They are legit. One day, you get another SMS in the same
conversation:
 
   BANK OF ME
   Date: now.
   Warning, strange movement, please click here http:\some.bad.link.com
 
But this last message is a fake. The bad guys convince you, they get
your credentials and your money. A case like that was seen recently in
court here, and the bank lost. They must do more to ensure security,
they did not protect their client properly.
 
(in Spanish:
https://www.genbeta.com/seguridad/parecia-imposible-condenan-al-bbva-a-reembolsar-dinero-estafado-via-sms-a-clienta-debe-asumir-su-responsabilidad).
 
Now my question is, how did the bad guys insert a false SMS in the same
conversation from the bank. They successfully forged the bank name
(there is no phone number). What is the hole in the GSM network that
allows this forgery?
 
(I have similarly forged texts in my phone, I have direct first hand proof).

Worse is when you get a text that doesn't say who the hell sent it, just
some digit string that never identifies the sender.  I never respond to
those unless their content is something I expect to receive, like the
grocer saying their driver is leaving to deliver the goods I ordered.

Smishing
https://www.ibm.com/topics/smishing
https://www.proofpoint.com/us/threat-reference/smishing

I don't want to get into the details on how a scammer can spoof the
sender ID in an SMS message since that seems an inappropriate "how to
smish" enabler to to wannabe aholes.  Search on "sms spoofing".
Spoofing is not always illegal or with malicious intent.  For example, I
use Google Voice to receive and make calls.  They will remove the sender
ID from my outbound call to replace with my GV phone number, so the
recipient sees my GV number, not the true number for whatever carrier my
cell phone is using.  That way, my callees see my number which they
recognize or is in their Contacts lists, and they call me back on my GV
number which call all my phones in my GV account using simultaneous
ring.  Callees see my GV number, not my cell phone's carrier-assigned
number.

https://www.infobip.com/glossary/sms-spoofing

You can even find apps that let you spoof your sender ID, but I suspect
they incorporate some shady SMS provider that lets the user specify the
sender ID differently than is recorded, if anything, at the service.

SMS is not a secure communications venue.  It's not even encrypted nor
has guaranteed delivery, just like e-mail.  So, the pretense that
sending 2FA codes via SMS or e-mail makes a login more secure (what you
know plus what you have) is a lie since insecure and non-guaranteed
delivery communication venues are employed.  Yep, use insecure
communication to secure a login, and all started because users are lazy
boobs who don't use strong and *unique* passwords at each domain.

Date Sujet#  Auteur
23 Nov 24 * Phising via forging the "from" in an SMS message.3Carlos E.R.
24 Nov 24 `* Re: Phising via forging the "from" in an SMS message.2VanguardLH
24 Nov 24  `- Re: Phising via forging the "from" in an SMS message.1Carlos E.R.

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal