Hackers and Message Mirroring – How SMS Eavesdropping Can Topple Your Security
Hackers are using mirroring apps to monitor SMS activity, enabling them to view private conversations, scalp private data, and appropriate SMS authentication codes.
Since the beginning of the pandemic and the consequential migration to working from home, cybersecurity experts have heavily advocated the importance of keeping work communications out of your SMSes. However, SMSing persists as a widely utilised work communications tool – transmitting sensitive data such as passwords, finances and confidential business information.
Mirroring applications leverage screen-streaming technology to remotely view anything occurring on your phone in realtime. This means that any texting, browsing or other activities can be viewed by the hacker. The real kicker is that mirroring apps are often installed without the victim’s knowledge.
By using Google features, in combination with a compromised email and password, hackers can remotely install applications on most modern devices. Once a mirroring app is installed remotely, all activity can be viewed without your knowledge.
While the thought of someone viewing your personal phone usage is certainly unpleasant, the real damages often come in the form of exploiting two-factor SMS codes.
If you aren’t already familiar, two-factor authentication is simply an extra layer of security when logging in or accessing a system. You might be most familiar with two-factor when you’re making a transaction on a banking app, and are sent a verification code via SMS to confirm.
One of the most memorable cybersecurity quotes from Microsoft is that Two Factor Authentication can block over 99.9 percent of account compromise attacks. It’s a high claim, but it is not misinformed – if a hacker cracks your password, two factor authentication is typically enough to prevent a full breach.
However, a layer of nuance that is often missing from the Two Factor authentication discourse is how the Two Factor authentication is delivered.
There are a number of ways that two-factor authentication can be performed, all with varying levels of security. See the following table for a few common methods:
While Two Factor delivered via SMS is extremely popular and relatively secure, hackers are using mirroring applications and other security exploits as a workaround – allowing them to hijack two-factor for larger data breaches.
Picture a scenario wherein the password for your work email is compromised. If you’ve secured it with a two-factor SMS code, and a hacker has further targeted your device with a mirroring app, they can then gain full access to your email to commit identity theft, invoice fraud and other forms of significant security breaches.
One-time SMS codes are also subject to threats of SIM-Swapping, which can re-route your texts to another phone, and reverse proxy tools such as Modlishka, which can intercept and monitor SMS communications with ease.
Despite these growing threats, many well-known online services still use two-factor SMS codes, including myGov and the Big Four banks.
So what can you do to improve your phone and two-factor security?
- Use app-based 2FA: Email, SMS and Push-based two-factor are all helpful, but they aren’t the most secure, nor are they the most convenient. Use a designate app such as Authy, Google Authenticator or 1Pass for the best results.
- Scan your phone routinely: It can be hard to keep up with all of the apps installed on your phone, but using an antivirus scanner can help weed out any potential threats. Use an antivirus scan regularly to reduce the chance of a malicious app stealing your data.
- Routinely change your passwords: The best way to avoid a remote app installation is to change your Google Account passwords at least every six months, and ensure that your passwords are both strong and unique. Furthermore, equip your Google Account with two-factor.
- Check for location-based two factor: Some applications, such as Twitter and Gmail, have the option to prompt for two-factor authentication in the event of a login from a new location. Check if your apps and accounts support this to prevent unwanted remote logins on your accounts.
Not sure about the next steps to take for your cybersecurity? Visit cyberaware.com for key safety tips and takeaways.