Hidden threats SMS: cellular operator knows too much
We talk about the potential threat to security and privacy when using SMS.
Who first encountered a mobile phone, in addition to calls, found out about the presence of short text messages. And if initially messages were used more often to exchange information without the participation of a live operator (we recall the pager), now they have become the main tool for notifications and verifications.
We conducted a thematic survey in our telegram channel :
')
Result: 87% use SMS . Not everyone is obvious, but the answer " Only for receiving notifications " threatens privacy even more than SMS correspondence with someone who does not have instant messengers. Congratulating a relative on holidays, you wonder what you are writing about. Who send notifications - no.
The sample is modest, but in large numbers the difference will be insignificant.
Regularly appear stories about automatic subscriptions to paid services. Last month on Habré spoke about the Megaphone :
A year ago, about the MTS on Medusa :
To understand the scale of the problem:
You lose your SIM-card, you apply your passport to the salon of a cellular operator, an employee issues a new card with your number in a minute. An ordinary script? He can do the same thing of his own free will without your knowledge, if the benefit exceeds the consequences and the likelihood of punishment.
But noticeably more popular is the re-issue of SIM-cards with a fake power of attorney . Aware of the problem, cellular operators offer to protect themselves by prohibiting actions on behalf of the subscriber by proxy. Although you could solve the problem globally by setting a default ban.
Once in the wrong hands, your number becomes the key to mail, instant messengers, and a variety of payment instruments. That is, everywhere, where access recovery or verification via SMS is used.
The relatively good news is that most modern banks are able to track the fact of a SIM-card change, which means they will not be allowed into the Internet bank, and will not send an online payment confirmation code. At least until you confirm the change of card in the office or by phone. But do not forget that the operator’s records for the “Spring package” are kept for six months, and there, among other things, there are your answers to the “secret questions”.
Security agencies can also take control of your SMS, as we have already mentioned . No re-issue of the SIM card and completely transparent to the subscriber.
Here is the most interesting.
Notifications from companies : online services, restaurants, clubs, clinics, shops, delivery services, car sharing. Many sign their messages, which means you can immediately determine which services the client uses. How much personal information is contained in such messages, you can submit yourself.
Notifications from banks . From such messages you can get information:
• about account balances;
• on withdrawals and deposits, in which ATMs;
• about your total turnover for any period;
• on deposits: the amount, term, interest paid;
• on approved loans, payments on them and debts;
• about the issued cards, about a part of their numbers, and sometimes a part or the whole pin-code;
• about all transactions of the user, his purchases;
• about paying bills;
• about transfers to other people, including their names and account numbers.
And here that the operator saves, is not protected by any “banking secret”.
The collected information allows you to create a thorough and personalized customer profile. Analytics does not require a lot of resources: textual information on templates, keywords and the type of addressee is easily processed by algorithms.
This profile provides almost unlimited possibilities for the operator and anyone else who has received unauthorized access, including database leakage.
About information leaks on @dataleak
Open your SMS and see what information you share with the operator in the clear.
How many SMS archives are stored? According to the Mobile-Review investigation , 3 years, according to Maxim Katz, at least 2 years.
Moving to the use of Push-notifications instead of SMS.
Sample scenario from Alfa-Bank:
A similar procedure is available in most other banks with mobile applications.
We use verification applications in the smartphone (Google Authenticator and analogs), smart cards, tokens, or at least a confirmation by e-mail of a reliable mail service.
Anyone with whom you communicate via SMS can be transplanted to secure or relatively secure foreign messengers. Show them in person that using messengers is not scary or painful.
For discussion.
Using a foreign SIM card
A few doubts about the reliability of this option:
If someone wants to talk about the "inner kitchen" of these questions, but is not ready to do this in public comments, you can anonymously write to our telegram bot marked "for Habr." By your permission, we will add impersonal information to the article.
Full refusal from SMS
It is hard to imagine how to live with it. But in our vote, this option scored 13% ...
Can you completely refuse SMS?
“Historically it happened”
Who first encountered a mobile phone, in addition to calls, found out about the presence of short text messages. And if initially messages were used more often to exchange information without the participation of a live operator (we recall the pager), now they have become the main tool for notifications and verifications.
We conducted a thematic survey in our telegram channel :
')
Result: 87% use SMS . Not everyone is obvious, but the answer " Only for receiving notifications " threatens privacy even more than SMS correspondence with someone who does not have instant messengers. Congratulating a relative on holidays, you wonder what you are writing about. Who send notifications - no.
The sample is modest, but in large numbers the difference will be insignificant.
Threat # 1: Unauthorized expenses
Regularly appear stories about automatic subscriptions to paid services. Last month on Habré spoke about the Megaphone :
A year ago, about the MTS on Medusa :
To understand the scale of the problem:
Threat # 2: Account Security
You lose your SIM-card, you apply your passport to the salon of a cellular operator, an employee issues a new card with your number in a minute. An ordinary script? He can do the same thing of his own free will without your knowledge, if the benefit exceeds the consequences and the likelihood of punishment.
But noticeably more popular is the re-issue of SIM-cards with a fake power of attorney . Aware of the problem, cellular operators offer to protect themselves by prohibiting actions on behalf of the subscriber by proxy. Although you could solve the problem globally by setting a default ban.
Once in the wrong hands, your number becomes the key to mail, instant messengers, and a variety of payment instruments. That is, everywhere, where access recovery or verification via SMS is used.
The relatively good news is that most modern banks are able to track the fact of a SIM-card change, which means they will not be allowed into the Internet bank, and will not send an online payment confirmation code. At least until you confirm the change of card in the office or by phone. But do not forget that the operator’s records for the “Spring package” are kept for six months, and there, among other things, there are your answers to the “secret questions”.
Security agencies can also take control of your SMS, as we have already mentioned . No re-issue of the SIM card and completely transparent to the subscriber.
Threat 3: Privacy
Here is the most interesting.
Notifications from companies : online services, restaurants, clubs, clinics, shops, delivery services, car sharing. Many sign their messages, which means you can immediately determine which services the client uses. How much personal information is contained in such messages, you can submit yourself.
Notifications from banks . From such messages you can get information:
• about account balances;
• on withdrawals and deposits, in which ATMs;
• about your total turnover for any period;
• on deposits: the amount, term, interest paid;
• on approved loans, payments on them and debts;
• about the issued cards, about a part of their numbers, and sometimes a part or the whole pin-code;
• about all transactions of the user, his purchases;
• about paying bills;
• about transfers to other people, including their names and account numbers.
And here that the operator saves, is not protected by any “banking secret”.
The collected information allows you to create a thorough and personalized customer profile. Analytics does not require a lot of resources: textual information on templates, keywords and the type of addressee is easily processed by algorithms.
This profile provides almost unlimited possibilities for the operator and anyone else who has received unauthorized access, including database leakage.
About information leaks on @dataleak
Open your SMS and see what information you share with the operator in the clear.
How many SMS archives are stored? According to the Mobile-Review investigation , 3 years, according to Maxim Katz, at least 2 years.
Tearing off the needle SMS - will not be easy
Financial operations
Moving to the use of Push-notifications instead of SMS.
Sample scenario from Alfa-Bank:
A similar procedure is available in most other banks with mobile applications.
Confirmation of login services
We use verification applications in the smartphone (Google Authenticator and analogs), smart cards, tokens, or at least a confirmation by e-mail of a reliable mail service.
Communication
Anyone with whom you communicate via SMS can be transplanted to secure or relatively secure foreign messengers. Show them in person that using messengers is not scary or painful.
Two more radical options
For discussion.
Using a foreign SIM card
A few doubts about the reliability of this option:
- Are these SMS available in open form to a local operator that serves a foreign number when roaming?
- Stores and should he keep them legally?
- Do I have to provide information about messages to such numbers upon request?
If someone wants to talk about the "inner kitchen" of these questions, but is not ready to do this in public comments, you can anonymously write to our telegram bot marked "for Habr." By your permission, we will add impersonal information to the article.
Full refusal from SMS
It is hard to imagine how to live with it. But in our vote, this option scored 13% ...
Can you completely refuse SMS?
Source: https://habr.com/ru/post/451360/
All Articles