Toronto police seize 'SMS blasters,' a cybercrime weapon never before seen in Canada (nationalpost.com)

submitted 6 days ago by HiddenLayer555@lemmy.ml to c/canada@lemmy.ca

23 comments fedilink hide all child comments

cross-posted from: https://lemmy.ml/post/46348914

TIL your phone apparently does no or easily spoofed authentication of the identity of the base station it decides to connect to. Anyone know more about this and how it's possible?

top 23 comments

sorted by: hot top new old

[-] snoons@lemmy.ca 30 points 6 days ago

I have zero trust in any company that uses 2FA over SMS.

[-] HiddenLayer555@lemmy.ml 8 points 5 days ago* (last edited 5 days ago)

TOTP is both more secure and cheaper to implement since you don't have to pay for text messages or directly communicate with the 2FA device in general. Honestly whenever some obsecure app or website demands my phone number as the only 2FA option I immediately assume it's a front to get my phone number for data brokerage. Like no way does a random online game or something care so much about security to demand 2FA but then proceed to choose the least secure and hardest to implement option. There's another reason.

[-] HellsBelle@sh.itjust.works 11 points 6 days ago

My bank (RBC) does, but luckily they also give me other options to choose from.

[-] snoons@lemmy.ca 11 points 6 days ago

Tangerine doesn't, and they also can't get their website to work on firefox lol.

[-] phoenixz@lemmy.ca 5 points 5 days ago

If your website requires a specific browser then you do websites wrong

[-] iamthetot@piefed.ca 4 points 6 days ago

I've never had a problem with their website on Firefox. What issues do you have?

[-] snoons@lemmy.ca 2 points 5 days ago

It says the service is unavailable after entering my username/account numbers.

[-] dudesss@lemmy.ca 3 points 6 days ago

Should work. Although I've had authentication problems with Tangerine with Chrome and Firefox.

[-] HellsBelle@sh.itjust.works 3 points 6 days ago

Damn. That sucks.

[-] ArmchairAce1944@lemmy.ca 3 points 6 days ago

Ditto

[-] Reannlegge@lemmy.ca 4 points 5 days ago

A few years ago all banks were supposed to move to that, I was so unhappy with that. I sent so many emails to my back bencher do nothing MP the heads of the financial institutions I was using complaining about this saying how easy it was to spoof text messages or high jack peoples numbers, I considered doing some of the spoofing to them but decided better not.

Yesterday, or the day before, my Credit Union started offering TOTP I was so giddy and excited! I figured out how to add all my keys that I was using in Raivo, because the app has sorta gone to poop town, onto my self hosted Vaultlocker. You cannot believe how happy I was today the first time I needed to use one of those numbers and I was able to open up Bitlocker on my phone and use the number today.

My place flooded so a little more than half of my one level is to the sub floor my office has a lot off “stuff” stuff into it and I have been living out of my bedroom, home labing went from a hobby to something to keep me sane.

[-] Rivalarrival@lemmy.today 13 points 6 days ago

You might want to start here: https://en.wikipedia.org/wiki/OpenBTS

[-] nik282000@lemmy.ca 7 points 6 days ago

Only a problem if you follow random links you get in your messages. So old people and the technologically illiterate.

[-] Tikiporch@lemmy.world 4 points 4 days ago

Maybe. There's lots of ways to get someone to lower their guard though.

[-] kent_eh@lemmy.ca 6 points 6 days ago

So old people and the technologically illiterate.

Or anyone else who has a distracted momentary lapse of judgement.

Plenty of tech savvy younger people who should know better fall victim to those scams too.

[-] HiddenLayer555@lemmy.ml 3 points 5 days ago

Especially when they spoof the phone number to be from official numbers. Your first instinct is probably to check if the number really belongs to CRA/Canada Post/etc, and while the idea of being asked for payment via text in general should set off your suspicision, a genuine number could easily convince enough people to make a profit. Basically like the social engineering version of spoofing a TLS identity via a compromised certificate authority.

[-] Reannlegge@lemmy.ca 2 points 5 days ago

If I have the time I waste those scammers time, it is so rare that I get one of those calls now a days, maybe once every few years.

[-] HiddenLayer555@lemmy.ml 2 points 5 days ago

If they have enough of your voice they can AI it though.

[-] Reannlegge@lemmy.ca 3 points 5 days ago

My number got black listed years ago on many of those scammer lists, the last time I had time to waste on one of those calls, they where calling a cell phone I had for work (Statistics Canada at the time, I sadly no longer work with there) and they where saying something had leaked and they where from the Government of Canada I so wanted to waste their time as I drove across town for a work meeting.

[-] nik282000@lemmy.ca 1 points 4 days ago

No one in the western world who has a smart phone is not aware of phone scams. Everyone has been told not to trust random links in text messages, usually by the banks and businesses that are being used in these scams, but 'just this time, it looks safe, they've always been safe before."

This kind of online-safety thinking needs to be drilled into people like wearing seatbelts and brushing your teeth.

[-] UnrefinedChihuahua@lemmy.dbzer0.com 4 points 4 days ago

I don't even click links from people I know!

[-] nik282000@lemmy.ca 3 points 4 days ago

You might be more paranoid than I am, but I check every unexpected link from messages claiming to be businesses if I open them at all. Usually I'll go to their website and check for what the message claims if it seems plausible.