Member-only story

It’s time to stop using SMS for anything.

Lucky225
7 min readMar 15, 2021

By now most infosec professionals are aware of various ways SMS text messaging can be hijacked. For example so-called “SIM Swap” attacks, SS7 attacks, Port-out fraud, etc. All of these attacks however do require some level of sophistication, whether it be high level access to SS7, or account information or social engineering to successfully port out the phone number to a new provider or swap the sim on the existing account.

There is however other vulnerabilities that are not particularly well known. For VoIP numbers in particular, which may be assigned to a CLEC or VoIP wholesaler, the SMS may need to be routed to a different carrier than the carrier of record. This is accomplished in two different ways. One is an ALT SPID, which NPAC defines as “The four-digit identifier of a second service provider associated with a telephone number or thousand block. It identifies the wholesale service provider customer to which the PSTN service provider has assigned the number. The second service provider in turn may either assign the number to its retail customer or to another service provider for its use.” ALT SPIDs are vulnerable and susceptible to change and can be used to hijack SMS, but it too does require carrier-level access to make changes directly to NPAC. In particular, and importantly, it requires the current provider’s co-operation for the new carrier’s ALT SPID to be added in NPAC.

Which brings us to an alternative SMS routing provider, NetNumber. NetNumber has a product called NetNumber ID (NNID), it’s a 6 digit…

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web

Already have an account? Sign in

Responses (5)

What are your thoughts?

Fascinating. Thank you! However, your disclosure appears to be less than "full". The Vice story you participated in says you are "Director of Information for Okey Systems". If that's true, then you really should state "I work for this company"…

Hello @Lucky225
Thanks for your research into this largely overlooked method to send/recieve SMS messages while appearing to be the legitimate owner of the phone number.
Has anything changed in the time since your research was published? Sad to see…

I have gone through dozens of voip provider and they all request a verification through sms before importing a phone number, so it seems pretty secure to me.