WingNews logo WingNews
top | item 47140354

(no title)

harikb | 5 days ago

Installing an app that silently intercepts SMS/MMS data is a persistent technical compromise. Once the app is there, the attacker has ongoing access.

In contrast, convincing someone to read an OTP over the phone is a one-time manual bypass. To use your logic..

A insalled app - Like a hidden camera in a room.

Social engineering over phone - Like convincing someone to leave the door unlocked once.

discuss

order

JoshTriplett|5 days ago

> Installing an app that silently intercepts SMS/MMS data is a persistent technical compromise. Once the app is there, the attacker has ongoing access.

The motivating example as described involves "giving the scammer everything they need to drain the account". Once they've drained the account, they don't need ongoing access.

jyoung8607|5 days ago

Persistence allows the scammer free license to attempt password recoveries for every account the victim could possibly have. Other banks, retirement accounts, the victim's email account.

sdenton4|5 days ago

When the victim's relatives send them money because they need to eat and pay rent after handing everything over to the scammer, the persistent backdoor lets that money be drained as well... You're underestimating the persistence and ruthlessness of the scammers.

array_key_first|5 days ago

This is still not a root cause solution, it's just a mitigation. Because you do not require side loading to install malware. The play store and apple app store both contain malware, as well as apps which can be used for nefarious purposes, such as remote desktop.

A root cause solution is proper sandboxing. Google and apple will not do this, because they rely on applications have far too much access to make their money.

One of the fundamentals of security is that applications should use the minimum data and access they need to operate. Apple and Google break this with every piece of software they make. The disease is spreading from the inside out. Putting a shitty lotion on top won't fix this.

TeMPOraL|5 days ago

> A root cause solution is proper sandboxing. Google and apple will not do this, because they rely on applications have far too much access to make their money.

Oh they do this quite well. Thing is, these sandboxes are meant to protect apps from you, not the other way around. That's why some apps - not just platform vendor apps but also select third-party apps - get special access and elevated privileges, while you can't even see what data they store in `/storage/emulated/0/android/data` even with ADB trickery.

NewsaHackO|5 days ago

>The play store and apple app store both contain malware

Wow, that a major claim. What apps are malware, exactly?

>This is still not a root cause solution, it's just a mitigation.

Requiring signed apps solves the issue though, as it provides identification of whoever is running the scam and a method for remuneration or prosecution.

hulitu|5 days ago

> Installing an app that silently intercepts SMS/MMS data is a persistent technical compromise.

Why would an app silently intercepts SMS/MMS data ? Why does an app needs network access ?

Running untrusted code in your browser is also "a persistent technical compromise" but nobody seems to care.