Old story, yet another target, not really news.

It just tells us, that the entire phone network backbone is based on a technology, which was never designed to have security built into it. It was designed at a time where nearly each country had only one phone network, a monopoly controlled by the respective country. It`s based on trust between all the participants, that all play by the rules.

Nowadays, everybody can start a phone provider and get access to that network. Therefore always keep in mind:

  • The origin number you see is in a call/SMS is just what someone decided to send you. It’s easy to fake it.
  • The SMS network is an unencrypted network, comparable to internet email. Everybody that can get access to that network (see above), can potentially read the messages on it’s way, redirect them, etc…
  • Even calls could be redirected, tampered, etc…

In short, don’t trust the phone network for authorizations. 2FA by SMS is broken since a long time and therefore most banks are or have already abandoned that technology.