WhatsApp code: 2342
You can also tap on this link to verify your phone:
v.whatsapp.com/2342
Do not share this code.

Transfer to DE63 4306 0967 1239 7690 03
Amount: 1,312.00 EUR
TAN: 161161
Please enter this TAN to complete the transaction.
This TAN is valid for 5 minutes.

Why SMS?

Two-factor authentication via SMS (2FA-SMS) is a method to increase the security of authentications. Alongside the static password, a dynamic code sent via SMS is required. The user must enter this code during login to prove they know the password (1st factor: knowledge) and have access to the phone number (2nd factor: possession). Thus, a stolen password alone is not enough to take over the user's account.

Well-Known Attack Vectors

This method has been under attack for some time. Through techniques like SIM swapping or exploiting SS7 vulnerabilities in mobile networks, attackers can intercept SMS messages. Alternatively, users can be tricked through phishing attacks into revealing their one-time passwords. The CCC advised against using SMS as a second factor as early as 2013. Nonetheless, 2FA-SMS is widespread. It offers more security than simple password authentication.

Now Also Viewable Online!

The Chaos Computer Club (CCC) now demonstrates a previously neglected attack on 2FA-SMS: Service providers are commonly used to send these messages. These providers send large volumes of SMS for various companies and services and have access to the SMS content. Thus, the security of the authentication process also depends on the security of these providers.

IdentifyMobile, a provider of 2FA-SMS, shared the sent one-time passwords in real-time on the internet. The CCC happened to be in the right place at the right time and accessed the data. It was sufficient to guess the subdomain "idmdatastore". Besides SMS content, recipients' phone numbers, sender names, and sometimes other account information were visible.

Nearly 200 Million SMS from Over 200 Companies

Over 200 companies that entrusted this provider directly or indirectly through other service providers with the security of their authentication were affected. This included companies like Google, Amazon, Facebook, Microsoft, as well as Telegram, Airbnb, FedEx, and DHL. Over 198 million SMS leaked in total.

By simply viewing the live feed, it would have been possible to:

• Take over WhatsApp numbers
• Conduct financial transactions or log in to various services without access to the phone, provided the password was known

(Not Yet) a Catastrophe

To truly misuse the SMS codes, attackers would typically still need the password. However, "1-click login" links were also included in the data. For some large affected companies, only individual services were protected by IdentifyMobile. Nevertheless, IdentifyMobile's negligence exposed companies and their customers to significant risk. This is evident from the numerous similar inquiries from data protection departments worldwide now reaching us through all channels.

We are happy to confirm that we did not keep the data. However, we cannot rule out that others may have accessed it.

2FA-SMS is Better Than Nothing, But Other Methods Don’t rely on IdentifyMobile

One-time passwords generated in an app or using hardware tokens are more secure and independent of the mobile network. If this option is available, we recommend using it. And any second factor remains better than just one, the password.