Most active commenters
  • LinuxBender(3)

←back to thread

USPS text scammers duped his wife, so he hacked their operation

(blog.smithsecurity.biz)
460 points wglb | 12 comments | 08 Aug 24 23:00 UTC | HN request time: 1.272s | source | bottom
Show context
janalsncm ◴[09 Aug 24 05:33 UTC] No.41199037[source]
> The Smishing Triad network sends up to 100,000 scam texts per day globally

This should not be possible. I guess the iMessage scams used e2ee, but the SMS scams should have been caught. It would be great if there was law enforcement that competently handled cybercrime, or at least triaged it.

More broadly, and at the risk of creating another TLA, the US needs a Blue Team version of the NSA. In other words, identify critical infrastructure, figure out how it can be hacked, and require that companies fix the issues. Use national security if need be. Banks have to undergo stress tests to prove they are solvent, there is no reason that critical infrastructure should be able to leave their doors unlocked.

replies(4): >>41199054 #>>41200287 #>>41201580 #>>41201685 #
fullspectrumdev ◴[09 Aug 24 09:46 UTC] No.41200287[source]
Spam filtering for SMS is still not particularly broadly implemented by network operators apparently.

I remember during Covid there was a few startups in that space trying to work with MVNO’s to get a foothold in the market, but don’t think any of that went anywhere.

replies(2): >>41200342 #>>41203219 #
newsclues ◴[09 Aug 24 09:59 UTC] No.41200342[source]
Network operators make money from scam industry there are not incentivized to deal with the problem beyond offering additional paid services
replies(1): >>41201319 #
1. LinuxBender ◴[09 Aug 24 12:46 UTC] No.41201319[source]
I can vouch for this. There were a myriad of cases I brought to my boss, the director of operations for a major wireless carrier that was absorbed into another one that still exists. "They are paying their bills, right?" was all I could get. I had text messages scrolling on my desk in a different workspace all day. Agencies would have me grep for homicide threats between gangs but that's about it. I was not only required to support spammers and scammers, but also required to make sure everyone's messages got through quickly, including those that were overloading my gateways from SS7 links controlled by obvious scammers. I was not allowed to get the hicap folks to decom nefarious SS7 links. This was a long time ago and I doubt the situation improved.
replies(4): >>41201615 #>>41203174 #>>41203218 #>>41203854 #
2. bluGill ◴[09 Aug 24 13:27 UTC] No.41201615[source]
Congress is hearing complaints and so getting interested in this. Thus providing incentive. Of course the incentive to carriers is to stop the scams congress will be interested in, while allowing the rest.
3. ryandrake ◴[09 Aug 24 16:13 UTC] No.41203174[source]
> I can vouch for this. There were a myriad of cases I brought to my boss, the director of operations for a major wireless carrier that was absorbed into another one that still exists. "They are paying their bills, right?" was all I could get.

I would have loved to ask him if he'd do business with Stormfront or ISIS as long as they were "paying their bills." It's not just the top of the food chain, these middle managers are all morally bankrupt, too.

replies(1): >>41206527 #
4. consteval ◴[09 Aug 24 16:17 UTC] No.41203218[source]
> Agencies would have me grep for homicide threats between gangs

As an aside, it's terrifying that our texts can just be read and mass processed like this.

I'm sure, in the general sense, this information isn't used for evil. But certainly I think it can be, like those Ring Doorbell employees who used their access to stalk their victims.

The case for secure messaging services only grows stronger, even for the innocent.

replies(1): >>41206549 #
5. yabones ◴[09 Aug 24 17:40 UTC] No.41203854[source]
Works the same way as old-school junk mail. Your postal service gets paid well by junk mailers to put trash in your mailbox, so they're disincentivized to fix the systemic issue. I can't find a good quality source on this, but it's been said that about 45-50% of USPS & Canada Post's revenue comes from junk mail. They could fix it, but it would probably lead to a collapse of the entire post system due to revenue shortfalls. A true tragedy of the commons.
replies(2): >>41206031 #>>41209747 #
6. kgdiem ◴[09 Aug 24 22:53 UTC] No.41206031[source]
I was pissy one day after my mailbox was so full the mail carrier say it in front of the mailbox and I came up with a solution I haven’t tried — return to sender!

This would decrease their profit per-item by 1/2.

Key piece tho, are you able to return pre-sorted mail to sender?

replies(1): >>41206749 #
7. LinuxBender ◴[10 Aug 24 00:38 UTC] No.41206527[source]
I can't comment on ISIS and their ilk but I can say that wireless companies absolutely love drug dealers unofficially speaking of course. They pay cash, pay on time and always keep their accounts active. Some have multiple phones. A disabled phone is lost revenue.
8. LinuxBender ◴[10 Aug 24 00:44 UTC] No.41206549[source]
I guess we have to choose our poison. If the chat is RCS on both ends then it's Google or Apple reading the text. I don't buy any of the E2EE marketing. Some time force your phone onto LTE over Wifi and watch who it is talking to. Even with RCS every keypress on Android at least goes to the wireless provider over a VPN tunnel for spell check. I found it still does this even if I disable spell check, just less. If it's plain text messaging then it's still plain text over SS7 and the wireless provider can see it in their messaging gateways. I just assume any messaging sent over a phone insecure.

I'm sure, in the general sense, this information isn't used for evil.

Maybe. I do know there have been cases of people bribing lower tier support in wireless providers to do SIM swapping. I don't know how often this occurs or how often they get caught. Things are logged but someone would have to know to look at the logs. I've also heard that employee churn is high in support so they might be long gone by the time anyone looks.

replies(1): >>41212963 #
9. lazide ◴[10 Aug 24 01:47 UTC] No.41206749{3}[source]
You can’t. USPS thought of this a loooong time ago.

Frankly, junk mail is one of the primary things keeping the USPS afloat.

replies(1): >>41206915 #
10. kgdiem ◴[10 Aug 24 02:39 UTC] No.41206915{4}[source]
I did some research and you can send a letter to the post master to request they stop delivering for certain addresses. Seems there’s a service for this too

https://www.paperkarma.com/product/paperkarma-subscription/

> Mail Withheld From Delivery. An addressee may request his or her postmaster, in writing, to withhold from delivery for a period not exceeding 2 years any foreign letter or printed matter bearing a specified name or address appearing on the outside. Such mail is marked “Refused” by the Post Office™ and treated as undeliverable.

https://about.usps.com/what/business-services/delivery-growt...

11. fn-mote ◴[10 Aug 24 14:26 UTC] No.41209747[source]
The assertion that scam texts are the same as junk mail is absurd unless you believe that there are unsophisticated victims falling for junk mail offers. I don’t buy the comparison at all.

I assume the point is “there is no economic incentive to fix the situation” … but that is an extremely generic claim.

12. oarsinsync ◴[10 Aug 24 23:24 UTC] No.41212963{3}[source]
> If the chat is RCS on both ends then it's Google or Apple reading the text. I don't buy any of the E2EE marketing.

The “E2EE marketing” around RCS applies solely to messages sent between Google Android devices on both sides. Otherwise, RCS is plain text like SMS. The carrier can read it all. This includes Apple’s implementation.