2

There's a free SMS sending service in our country. It requires a phone number to log in. Once registered, you can send SMS to any phone number within this country. The phone number which you use to send the SMS will be displayed to the recipient.

How risky is it and what will happen in worst case scenarios if one were to use a password such as '123456', 'password', or the phone number itself?

When logged in, here are the information available to the person:

  • username (in my case, it's my real name)
  • date of birth (I've given a false date of birth)
  • contacts: the website gives you the option for storing numbers you send SMS to. Only the name and phone numbers are visible (of course, the name is anything we specify).

Just to be clear, I don't use a password like that, but a friend of mine using this service does. So, I'm trying to convince him with risks that he might be facing.

popeye_the_sailorman
  • 21
  • 1

1 Answers1

3

Well, the by far biggest threat is not the personal information leak on its own, but the ability of the attacker to impersonate you. By being able to send SMS from your number and a bit of social engineering, attacker can convince a lot of people he is you (or your friend in this example).

While he may not be able to persuade for example a Bank right away, he can just build up. First contact the cellphone service provider saying he needs a new SIM, getting full control of your phone number. Then using it to obtain recovery SMS code for your email. Use email to get access to plethora of web accounts by using "forgotten password" reset. Getting personal information from these account and eventually tricking important institutions, such as Banks. Basically pulling of full identity theft.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28
  • I appreciate the comment, but since receiving messages is not possible (you can only send messages), getting full control of the phone is not easy, right? Am I missing something? – popeye_the_sailorman Apr 26 '18 at 02:12
  • @NassimH it is not easy but it is not too hard either, just properly word the message that you can't talk and that you authorize the attacker to obtain a new SIM for your number. It is up to the cellphone service provider whether he accepts authorization through SMS, but if you play it correctly, they probably will even if they are not supposed to. – Peter Harmann Apr 26 '18 at 08:35