←back to thread

USPS text scammers duped his wife, so he hacked their operation

(blog.smithsecurity.biz)
460 points wglb | 2 comments | 08 Aug 24 23:00 UTC | HN request time: 0.001s | source
Show context
janalsncm ◴[09 Aug 24 05:33 UTC] No.41199037[source]
> The Smishing Triad network sends up to 100,000 scam texts per day globally

This should not be possible. I guess the iMessage scams used e2ee, but the SMS scams should have been caught. It would be great if there was law enforcement that competently handled cybercrime, or at least triaged it.

More broadly, and at the risk of creating another TLA, the US needs a Blue Team version of the NSA. In other words, identify critical infrastructure, figure out how it can be hacked, and require that companies fix the issues. Use national security if need be. Banks have to undergo stress tests to prove they are solvent, there is no reason that critical infrastructure should be able to leave their doors unlocked.

replies(4): >>41199054 #>>41200287 #>>41201580 #>>41201685 #
fullspectrumdev ◴[09 Aug 24 09:46 UTC] No.41200287[source]
Spam filtering for SMS is still not particularly broadly implemented by network operators apparently.

I remember during Covid there was a few startups in that space trying to work with MVNO’s to get a foothold in the market, but don’t think any of that went anywhere.

replies(2): >>41200342 #>>41203219 #
newsclues ◴[09 Aug 24 09:59 UTC] No.41200342[source]
Network operators make money from scam industry there are not incentivized to deal with the problem beyond offering additional paid services
replies(1): >>41201319 #
LinuxBender ◴[09 Aug 24 12:46 UTC] No.41201319[source]
I can vouch for this. There were a myriad of cases I brought to my boss, the director of operations for a major wireless carrier that was absorbed into another one that still exists. "They are paying their bills, right?" was all I could get. I had text messages scrolling on my desk in a different workspace all day. Agencies would have me grep for homicide threats between gangs but that's about it. I was not only required to support spammers and scammers, but also required to make sure everyone's messages got through quickly, including those that were overloading my gateways from SS7 links controlled by obvious scammers. I was not allowed to get the hicap folks to decom nefarious SS7 links. This was a long time ago and I doubt the situation improved.
replies(4): >>41201615 #>>41203174 #>>41203218 #>>41203854 #
consteval ◴[09 Aug 24 16:17 UTC] No.41203218[source]
> Agencies would have me grep for homicide threats between gangs

As an aside, it's terrifying that our texts can just be read and mass processed like this.

I'm sure, in the general sense, this information isn't used for evil. But certainly I think it can be, like those Ring Doorbell employees who used their access to stalk their victims.

The case for secure messaging services only grows stronger, even for the innocent.

replies(1): >>41206549 #
1. LinuxBender ◴[10 Aug 24 00:44 UTC] No.41206549[source]
I guess we have to choose our poison. If the chat is RCS on both ends then it's Google or Apple reading the text. I don't buy any of the E2EE marketing. Some time force your phone onto LTE over Wifi and watch who it is talking to. Even with RCS every keypress on Android at least goes to the wireless provider over a VPN tunnel for spell check. I found it still does this even if I disable spell check, just less. If it's plain text messaging then it's still plain text over SS7 and the wireless provider can see it in their messaging gateways. I just assume any messaging sent over a phone insecure.

I'm sure, in the general sense, this information isn't used for evil.

Maybe. I do know there have been cases of people bribing lower tier support in wireless providers to do SIM swapping. I don't know how often this occurs or how often they get caught. Things are logged but someone would have to know to look at the logs. I've also heard that employee churn is high in support so they might be long gone by the time anyone looks.

replies(1): >>41212963 #
2. oarsinsync ◴[10 Aug 24 23:24 UTC] No.41212963[source]
> If the chat is RCS on both ends then it's Google or Apple reading the text. I don't buy any of the E2EE marketing.

The “E2EE marketing” around RCS applies solely to messages sent between Google Android devices on both sides. Otherwise, RCS is plain text like SMS. The carrier can read it all. This includes Apple’s implementation.