It’s a good idea to try and keep certain things private.
For example, people have been using anonymous email services for years. These either hide your real email address, or replace it entirely for specific tasks. Folks will go one step further, setting aliases for each service they sign up to. If the mail ends up in the wild? They know there’s a good chance which service has suddenly experienced a breach.
You may well be aware of these methods for anonymising emails. But did you know similar services exist in the SMS space?
Keeping your number safe
Nobody wants to have their mobile number leaked in a database dump, or placed onto dozens of marketing lists. It’s also a lot easier to switch out an email than a number tied to a device in your pocket. Changing numbers is quite often a pain, especially when updating all of your contacts.
There are other security concerns too. Some folks may want to keep their real number away from marketers and spammers. Others may want a little added security in the form of 2FA, despite not actually having a phone. How would they go about this?
Let’s look at one of the possible solutions, and the problems that come along with them.
How temporary number services work
This is where online anonymous SMS services come in. These are websites which offer SMS services sending messages to you, as opposed to someone else. How does this play out?
- You visit a “free temporary number” site, and select one of a dozen or so temporary numbers on offer. They usually offer regional numbers, so if it’s easier to use a French number, you can do that. Need one for Germany, or the UK, or even Australia? There’s likely one in there somewhere.
- You then use that number for whichever online service you need it for. Some examples would be confirmation codes, authentication codes, appointment confirmations, banking codes, verifying social media accounts, web logins, and more.
- At this point, you’re wondering “How do I actually receive messages to this number? I don’t own it and it’s not tied to my phone. I might not even own a phone. There’s also no registration or login on the site to keep track of messages sent my way. What’s the deal here?”
The deal here
Each temporary mobile number has its own page on the site you obtain it from. All of the messages sent to that number will be people wanting a code, or a pass, or a login, or a confirmation.
Those messages, for all of those people, display publicly on the number’s page.
Some services are so popular they have their own subpage on the temporary number service site. For example, there might be an Amazon page for all the Amazon messages, a Tinder page for Tinder messages etc. Whether service-specific or a more general page, they work the same way: a whole bunch of SMS messages appear, and you have to figure out which one is relevant to you and you alone.
Most services claim messages are sent as good as instantly. What this means in practice is sitting on the page for the number / service combination you’ve used. Then you wait until your desired SMS shows up.
If half a dozen generic looking messages for an Instagram verification code arrive in the space of 5 minutes, all for the same number: which one is yours? Instagram verification messages use different codes for verification, so one assumes all you can do is start punching them all in and hope for the best. This seems less than optimal.
Is this dangerous?
We must be clear: The websites we’ve seen at least reference the fact that messages sent are not private. However, the way it’s mentioned varies. It could well be buried in generic descriptions of what the site is all about. It also feels a little dissonant when some of them claim you can “keep your privacy with our free services”. The “privacy” simply extends to how careful you are in making use of the service. If you’re expecting your messages to be somehow hidden from the view of others, you’re sadly mistaken.
There are other SMS sites which do mention it prominently in red text. They also mention services should “not be used for any sensitive transactions”. Unfortunately those mentions are on FAQ or privacy pages, and seem likely to go unnoticed by many. If you don’t read those awful cookie preference popups, you likely don’t read the privacy blurbs either.
SMS codes made public
So, what are people sending? Here’s a sample:
It’s certainly making me say “yikes” to see these online, but by the same token, there’s no practical way to do anything bad with these. The account(s) could belong to anyone, and with nothing else identifiable in the message, it’s just a random code with nothing to tie it to. It’s the same as me sending you a text and saying the login code for my account is 123456. Which account? What email address? Username? And so on.
So it’s disconcerting, but not a disaster outside of perhaps making people behave too casually about security messages sent to their phone. It’s quite peculiar to see dozens of text messages posted online which include the line “keep this code safe and do not share it with anyone”.
Perhaps that’s the rub: They are supposed to be secrets, and if you put them on a public website they aren’t.
How revealing is too revealing?
Elsewhere though, things become slightly more personal. We’ve modified the text of the messages a little so people can’t simply pull them up in Google but their essence is unchanged. These are all based on genuine missives we’ve seen on the various SMS sites:
“Your appointment with [clinical service] on [date and time] has been confirmed.”
“Click to get back into your [account]”, with a one time click password reset link.
“You’ve requested a new password. Click here to reset it”, with a reset password link.
“Follow this link to complete your survey for the (medical) test [link] and call if you have questions”
“To complete registration, click here” with a registration link.
“I liked your profile on [site]. Please visit my profile at [link]”
“Your payment plan identity number is [number] for [x] amount. Your next payment of [y] is due [date].”
Some of these raise a few warning flags. They’re just that little bit on the side of potentially identifying.
The dating site conversation with link could be perfect for a social engineer or phisher to move into the conversation. The medical survey could potentially prefill with details of the recipient before they complete the form. This means someone clicking the link who it’s not intended for could see things they’re not supposed to. The clinical service appointment gives a clear location and time / date. This specific data is no doubt worthless for almost everybody bar the patient. It’s still a bit alarming to see it floating around online.
What’s clear in all of them is that, like the security codes, they are supposed to be private and the sender is clearly assuming they are engaged in a one-to-one conversation.
Of people problems and technical mishaps
At least some folks using these temporary number services mustn’t be reading the warnings highlighting that everything is posted publicly. Or perhaps more worryingly, they are and…simply don’t care? Neither possibility is great. The latter viewpoint can slide into a gradual “who cares” feeling in relation to their theoretically private dealings.
It’s also worth noting a lot of the mobile number pages are filled with various kinds of 2FA / authentication codes. The problem with that is many of the sites rotate their numbers. Some vanish after just a few days.
Imagine setting up text based 2FA on your Outlook account, then losing your phone. With the phone, and more specifically your number gone, you no longer have a number to send the verification codes to. That would be bad.
Now imagine you’ve set up text based 2FA on your Outlook account. You’ve done this using a site which removes said number from circulation 3 days ago.
This would also be bad.
Even so, it appears people are doing it anyway.
Be smart with your SMS messages
These sites encourage you to use them to make yourself a bit more secure and private. That’s how they sell it, anyway. If you use disposable mobile services for anything sensitive, you may well be causing the reverse to happen. Using them for generic services you don’t want spamming you? Occasional (non-identifiable) passcodes for logins? Probably okay on an occasional basis. However, it feels easy to accidentally divulge more than you bargained for in the dusty pages of their logged SMS messages.
There’s no guarantee some sites won’t simply keep messages online forever. Once you hit send it’s too late to fix a problem. This type of service has been around for some years now, but they seem to be growing in popularity. If you need to use one? Weigh up if what’s being sent is definitely okay to end up on the big wide web. Once the SMS genie is out of the bottle, its not going back in.
The post Watch what you send on anonymous SMS websites appeared first on Malwarebytes Labs.
Article Link: Watch what you send on anonymous SMS websites - Malwarebytes Labs | Malwarebytes Labs