Do you trust sms-informing?
SMS-informing is widely used in our life. And through him it is so convenient to monitor the balance of your money on a bank card. To know that the money came, or that it was shot by you. But using this feature compared to using an incorrectly configured firewall: gives you a false sense of security.
One fine day I received an sms from Megaphone stating that 1000 rubles were credited to my phone. I was very happy: I did not throw money on the phone. But my joy was short-lived: an hour later another sms came:
')
So here. Recently, Ryska found a bunch of services of this kind on the topic of sending sms from an arbitrary number . Then I remembered the story of the Megaphone payment and thought: after all, I trust this sms-informing so much that I am too lazy to check the information from these sms. And here I came up with this idea. Surely I'm not the only one so lazy. And what if the attacker takes advantage of one of these services? First, withdraw the money, and then send a phony sms about the cancellation of the withdrawal operation?
I conducted an experiment: I sent 2 sms from one sender “90-0” to 5 people via this service (from this number sms about operations with their card come to SberBank card holders):
The interval between SMS was about 5 minutes. As it turned out, none of the participants in the experiment eventually contacted the bank about this situation: someone just did not succeed (they were not near the phone). And someone during this time could not find the phone of the bank to clarify the situation. And when the second sms arrived, I calmed down and forgot about the situation. And this is despite the fact that in the messages I sent the card numbers are fake (I didn’t know what cards they had). And the attacker may have more information about his victim.
So be vigilant and do not be lazy to check information from sms .
UPD: currently the biggest problem from the point of view of the attacker is to make the timely arrival of dummy sms. Because The time of arrival of sms about withdrawing money varies and it is difficult to predict the exact time of arrival. A fake sms must be sent after the real one. Preferably in a few minutes.
A bit of background
One fine day I received an sms from Megaphone stating that 1000 rubles were credited to my phone. I was very happy: I did not throw money on the phone. But my joy was short-lived: an hour later another sms came:
')
" . : ( ) "Closer to the point
So here. Recently, Ryska found a bunch of services of this kind on the topic of sending sms from an arbitrary number . Then I remembered the story of the Megaphone payment and thought: after all, I trust this sms-informing so much that I am too lazy to check the information from these sms. And here I came up with this idea. Surely I'm not the only one so lazy. And what if the attacker takes advantage of one of these services? First, withdraw the money, and then send a phony sms about the cancellation of the withdrawal operation?
I conducted an experiment: I sent 2 sms from one sender “90-0” to 5 people via this service (from this number sms about operations with their card come to SberBank card holders):
- About withdrawing cash (text: "VISA0421; Vydacha nalichnyh; Uspeshno; Summa: 15000.00RUR; BANKOMAT 430403-2004; 11/01/11 16:55")
- On cancellation of the withdrawal operation (Text: "Dear card holder! You were returned 15000RUR, which were removed from your card due to a system failure. Regards, Sberbank").
The interval between SMS was about 5 minutes. As it turned out, none of the participants in the experiment eventually contacted the bank about this situation: someone just did not succeed (they were not near the phone). And someone during this time could not find the phone of the bank to clarify the situation. And when the second sms arrived, I calmed down and forgot about the situation. And this is despite the fact that in the messages I sent the card numbers are fake (I didn’t know what cards they had). And the attacker may have more information about his victim.
So be vigilant and do not be lazy to check information from sms .
UPD: currently the biggest problem from the point of view of the attacker is to make the timely arrival of dummy sms. Because The time of arrival of sms about withdrawing money varies and it is difficult to predict the exact time of arrival. A fake sms must be sent after the real one. Preferably in a few minutes.
Source: https://habr.com/ru/post/131961/
All Articles