"The links are sent to people seeking a range of services, including those offering insurance quotes, job listings, and referrals for pet sitters and tutors. To eliminate the hassle of collecting usernames and passwords-and for users to create and enter them-many such services instead require users to provide a cell phone number when signing up for an account. The services then send authentication links or passcodes by SMS when the users want to log in."
"A paper published last week has found more than 700 endpoints delivering such texts on behalf of more than 175 services that put user security and privacy at risk. One practice that jeopardizes users is the use of links that are easily enumerated, meaning scammers can guess them by simply modifying the security token, which usually appears at the right of a URL."
"By incrementing the token-for instance, by first changing 123 to 124 or ABC to ABD and so on-the researchers were able to access accounts belonging to other users. From there, the researchers could view personal details, such as partially completed insurance applications. In other cases, the researchers could have transacted sensitive business while masquerading as the other user. Other links used so few possible token combinations that they were easy to brute force."
Millions of users face privacy and security risks when services rely on SMS links or passcodes for authentication. More than 700 endpoints deliver such texts on behalf of over 175 services, covering insurance quotes, job listings, and referral platforms. Many authentication links use easily enumerated or short tokens, enabling attackers to guess or brute-force valid URLs and access other users' accounts. Some links grant account access without additional authentication and remain valid for days or months, allowing identity theft, scams, or unauthorized transactions. Hardening token complexity, shortening link validity, and adding additional authentication layers can reduce these risks.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]