Twilio, a telecom giant with more than 150,000 corporate customers, reported that a targeted phishing campaign successfully allowed hackers to access some of their customer data. On August 4, a well-organized attacker used stolen corporate login credentials to access the data of 125 corporate customers, Twilio explained in a blog article describing the incident.
The attacker sent numerous text messages to current and former employees posing as the company’s IT department. The texts claimed that employees’ passwords had expired or that their schedules had changed, and they directed the Twilio workers to a URL loaded with seemingly legitimate terms like “SSO” and “Twilio.” However, the destination was a phishing site used to steal their credentials.
Twilio believes the attack to be coordinated and sophisticated well beyond the norm due to its apparently wide reach and persistence. Twilio partners were also affected, and the threat actors were able to match employee names to phone numbers. Though Twilio has worked with the US-based mobile carriers and domain hosts from which the attacks originated, the customer data is already in the hands of criminals.
Popular encrypted messaging app Signal is among Twilio’s affected customers. On Monday, they warned users that 1,900 Signal accounts may have been compromised. The breach potentially revealed phone numbers and may have allowed threat actors to register new devices for the accounts. However, of those 1,900 phone numbers, the attacker searched for three explicitly. Only one of those users has confirmed with Signal that their Signal account was hijacked.
According to Signal, this breach affects a tiny fraction of their more than 40 million users. Moreover, the limited scope of what hackers can do with this information is deliberate. Signal wrote in a support document, “This did not give the attacker access to any message history, profile information, or contact lists. Message history is stored only on your device and Signal does not keep a copy of it.” They stress that Signal PINs, which were introduced in 2020, are the only way contact lists, profile information, blocklists, and more can be recovered — and these are not a part of the breach.
“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against,” Signal writes. “While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users.”
Whether the other 124 Twilio customers affected by the breach will issue statements of their own in the coming weeks is unclear. However, one unavoidable issue has reared its ugly head again: the exponentially increasing vulnerability of SMS security. The aging SMS ecosystem, a relic from a time before today’s accessible public-key infrastructure, is simply too easy to crack, spoof and intercept.
While SIM swap attacks aren’t overtaking simple phishing as the most common form of SMS-based fraud, they are more dangerous and easier to perform than ever. In the past, social engineers would convince or bribe a mobile carrier employee to register a phone number to a device and SIM card under their control — allowing them to divert any SMS messages to the new device. All the more frightening, however, is the ease with which the same process can be achieved digitally, with virtually no defense against it.
KrebsOnSecurity posted an eye-opening article exposing an unregulated industry that uses “letters of authorization” or LOAs to state they have the authority to act on behalf of a phone number’s owner. On the surface, providers of these services are intended to be used by companies or individuals for SMS marketing. However, researchers have demonstrated that signing up with someone else’s number can quickly and easily divert their SMS messages to a threat actor.
Chief research officer at cyber investigations firm Unit221B Allison Nixon said to KrebsOnSecurity, “This basically means the only thing standing between anyone and the equivalent of a SIM swap is a forged LOA.” Nixon points to federal regulators for solutions, saying it’s time for them to step up and protect consumers. “Its clear this is a lot of foundational infrastructure mucky muck and some fundamental changes are going to need to happen here,” she said. “Regulators really need to get involved.”
With or without regulatory changes, it’s clear that overreliance on SMS for security has only empowered attackers. Digital fraud over SMS is more common than ever: phishing schemes that steal credentials through a fraudulent URL, fake support center calls paired with a real-time OTP phishing attempt, and more attacks are nearly permanent residents of everyone’s text inbox.
A fundamental shift in the telecom sector is long overdue, but SMS security has become entrenched. Uprooting it entirely will likely prove difficult, but the alternative is kowtowing to hackers whose tools have become cheaper, faster and more effective than the best defenses SMS can offer.
For now, users should consider the following when it comes to SMS-based security:
Companies that provide one-time passcodes for authentication or verification should consider removing SMS-based OTPs from their systems. Instead, they should choose a more secure option, like FIDO-based passwordless authentication using fingerprint or facial biometrics.
The burden of distinguishing a trusted source from a fraudster shouldn’t fall on users who already have so much on their hands. Instead, FIDO-based authentication, which is inherently phishing-resistant, shifts the user’s responsibility away from detecting phishing attempts and back to choosing legitimate applications. IBM contributor Shane Weeden’s points out that FIDO and WebAuthn allow users to delegate their security to “a trusted computer program such as the browser rather than the human having to visually recognise a phishing attempt themselves.”
Modern CIAM (Customer Identity and Access Management) doesn’t fall back on telecom relics like SMS. SMS-based authentication, proofing and 2FA are born out of a need to make incompatible technology work together. And the reality is that we simply don’t need to use mobile networks to support digital identity anymore. SMS-based security is still in use shows us that leading companies must take the initiative and modernize their CIAM.
Futureproofing your CIAM implementation allows you to shed these aging systems — and a global upgrade would mean removing SMS from the cybersecurity landscape for good. Companies that upgrade to a consolidated CIAM platform can eliminate their reliance on SMS-based security and also achieve an unparalleled level of threat detection and risk mitigation. The 360-degree view that modern CIAM provides means threats are stopped in real time — rather than after the initial breach has already happened.
Although multiple Twilio employees were fooled by an SMS phishing scheme, they’re certainly not alone in falling victim to an apparently legitimate message from their company’s IT department. In reality, breaches like this are the fault of an aging ecosystem that relies on vulnerable SMS-based communications. Users have grown so accustomed to these messages being authentic that it’s only a matter of time before the next slip makes headlines.