Had to do one those corporate "Security training" courses, today in fact.
It was in the "It's not only your computer. Don't trust your mobile devices either" section.
"Don't trust SMS:es from random sources, don't click on received links in messages from unknown numbers. Verify the sender first.".
I was like *uck! Is this real, in a "Security training"!
101, ABC of SMS. - You can not *ever* verify the sender of an SMS with out asking the sender in person if it sent the message.
Literally, you can put *anything* in the SMS sender field. Any text or phone number you want. Not verified anywhere.
Same goes for caller ID.
Just because some number is displayed on your phone does not mean that the owner of that number is calling you/sent the text.
The caller may not have any phone number at all, just a SIP trunk.
Knew about this "call center" that had no phone number, just a SIP trunk. They were sending random phone numbers as caller ID when making calls, and the operator knew/did not care.
And SMS is dead easy. Anyone can do it with any cellphone/landline modem that supports AT-commands, like 100% of any old cellphone's.
Trusting SMS is like trusting me cause I say "Trust me bro".
/ Kaiser Shmee
npub1rc…arez6
2024-10-10 20:58:58
in reply to nevent1q…xutg
Author Public Key
npub1rcn5ttxggyuyvq5xvdycqcfkxum8c55qfxnyxkt8zszu3lqg4slq8arez6Seen on
wss://relay.primal.netPublished at
2024-10-10 20:58:58Event JSON
{
"id": "7eacb6a86fd6a39c88b123d7fb489fd133b1585b9ade9955168c2029e5cf436f",
"pubkey": "1e2745acc84138460286634980613637367c528049a64359671405c8fc08ac3e",
"created_at": 1728593938,
"kind": 1,
"tags": [
[
"q",
"55ccf656789f50152b9faf38db655b655e33d0be72366354bc45700a75f16b5f"
],
[
"e",
"55ccf656789f50152b9faf38db655b655e33d0be72366354bc45700a75f16b5f",
"",
"reply",
"d0708145385945396191f427e1346bb54c89411fef87bd3447510b0276171fb6"
]
],
"content": "Had to do one those corporate \"Security training\" courses, today in fact.\nIt was in the \"It's not only your computer. Don't trust your mobile devices either\" section.\n\"Don't trust SMS:es from random sources, don't click on received links in messages from unknown numbers. Verify the sender first.\".\nI was like *uck! Is this real, in a \"Security training\"!\n\n101, ABC of SMS. - You can not *ever* verify the sender of an SMS with out asking the sender in person if it sent the message.\nLiterally, you can put *anything* in the SMS sender field. Any text or phone number you want. Not verified anywhere.\nSame goes for caller ID.\n\nJust because some number is displayed on your phone does not mean that the owner of that number is calling you/sent the text.\nThe caller may not have any phone number at all, just a SIP trunk.\n\nKnew about this \"call center\" that had no phone number, just a SIP trunk. They were sending random phone numbers as caller ID when making calls, and the operator knew/did not care.\n\nAnd SMS is dead easy. Anyone can do it with any cellphone/landline modem that supports AT-commands, like 100% of any old cellphone's.\n\nTrusting SMS is like trusting me cause I say \"Trust me bro\".\n",
"sig": "eeb9a2c28265631982a8eea29966afda6da63a8e1eee057dff09915f967ffc32d074a295694a3be5b3d031c88c9a064bef2a646e5037b914ddd23bda5c69b87f"
}