sms
Latest
Google takes a snarky shot at Apple over RCS in its latest ad
Google just released a fake ad for the iPager, a made up retro-style beeper that shows off the limitations of Apple’s SMS text messaging platform. Apple’s continued reliance on SMS tech has impacted interoperability between iOS and Android devices.
Signal is winding down plaintext SMS support in its Android app
While it may be inconvenient, the move could make messaging more secure.
Here's why your Apple two-factor texts include strange tags
Don't worry if you see unusual tags at the end of Apple's two-factor texts — they're meant to improve security.
The first text message is now a $150,000 NFT
Vodafone will donate the proceeds to the United Nations Refugee Agency.
Major SMS routing company says it was the victim of a five-year hack (updated)
A company that routs SMS messages for major US carriers said it had been hacked for five years, but it's not clear how much damage was done.
AT&T will soon enable RCS messaging for all Android phones
Google Messages will be the default chat app for AT&T customers.
OnePlus Nord will rely on Google's calling and messaging apps
The OnePlus Nord will use Google's phone and messaging apps rather than leaning on OnePlus' own.
T-Mobile customers can send RCS messages to Android users worldwide
It's taken a couple of years, but T-Mobile now fully supports the RCS Universal Profile protocol, which is good news for Android users on the carrier's network.
Uber rolls out text-to-911 feature across the US
As part of its ongoing efforts to keep drivers and passengers safe, Uber is introducing a new, in-app text-to-911 feature in the US. It could be especially useful if a driver or passenger needs to contact emergency services discreetly, without escalating a situation further.
Google Messages may send iMessage-style 'liked a photo' reaction texts
It looks like Google Messages will soon let users send iMessage-like reaction text messages to people without Rich Communication Services (RCS). If the recipient doesn't use Google's next-gen text messaging, rather than see a thumbs-up bubble reaction, they'll get a written description, such as "liked a photo" or "laughed at a text."
Apple engineers propose a way to make using two-factor texts easier
If you've ever used online banking or any other highly-secure website, chances are you've encountered a one-time passcode (OTP) before. These are SMS messages sent to your phone with a unique code that verifies your identity with the website you're on. For a lot of users, inputting this code into the website involves tapping back and forth between the browser and the SMS client -- and in some cases even having to physically write down the code, because it's so long or complicated. Now, Apple engineers have put forward a proposal designed to make the whole process easier and more secure.
Google adds spam detection and verified business SMS to Messages
Businesses often send one-time passwords, account alerts and appointment confirmations via text. But if you've ever received one of those, you know they tend to come from a random number, and bad actors can take advantage of that by disguising phishing scams as one of those messages. To protect users, Google will soon verify SMS messages from registered businesses.
Millions of text messages were carelessly exposed by a marketing firm
Yet another exposed database has left public data out in the open, and this time it affects something you might use often: the systems businesses use to text you for appointments. Researchers at vpnMentor recently discovered that TrueDialog, an SMS solution provider for businesses, left "millions" of accounts and "tens of millions" of text messages unprotected on the web. The messages sometimes included sensitive info like recipients' full names, email addresses and phone numbers, but the accounts' data was noticeably worse. You could find usernames, email addresses and a mix of clearly visible and lightly-encrypted passwords, including for commonly-used sites like Facebook and Google.
Now Twitter users can enable two-factor without linking a phone number
Twitter has finally made a change users have been waiting a long time to see. No, it's not editable tweets, but as of today everyone can enable two-factor authentication on their account without linking a phone number. While SMS-based two-factor can be a fallback for people who lose access to code-generating devices or don't have security keys, it's very vulnerable to SIM-swapping attacks. Twitter added code generator support a while ago, but still asked users to add a phone number if they wanted the extra verification and you couldn't remove the fallback. That's upsetting for those concerned about their privacy, they may not want to link a phone number to their account at all, and Twitter has already admitted that it used phone-numbers to target ads even for users who declined that. Attackers used SIM-swapping to send tweets from Twitter CEO Jack Dorsey's account earlier this year, and while the exploit didn't use two-factor codes, it showed how vulnerable the SMS-based system can be. If you already have a phone number linked in your profile, then you can go ahead and remove it now. However, a security engineer noted that you can't remove the number and rely simply on a security key for access since that's only supported on the website.
Cross-carrier glitch sent people ancient texts in the middle of the night
Did you wake up to a resurrected Valentine's Day text message on your phone? You're far from the only one. Numerous users have reported receiving old text messages overnight, all of them from February in one year or another (often around Valentine's Day) -- and frequently messages that didn't initially reach their destination. The zombie texts appeared across multiple carriers, including the top four US networks as well as Canada, and surfaced whether you were using an Android device or iPhones. There appears to be an explanation, although there's still plenty of mystery.
Migrating eagles flew to Iran and racked up huge roaming bills
Russian scientists were forced to launch a crowdfunding campaign after endangered Steppe Eagles ran up a huge data roaming bill. Equipped with SMS transmitters, they left from Southern Russia and Kazakhstan, but some went a lot farther afield than expected. One particular eagle called Min accumulated a pile of location data messages when it was off the grid in Kazakhstan. Then, it unexpectedly flew to Iran and sent them all off at 49 rubles ($.77) each, using up the team's entire tracking budget.
AT&T, T-Mobile, Sprint and Verizon team up to push next-gen RCS texting
For years we've been hearing about the potential of RCS, a protocol replacement for SMS that would bring iMessage and Whatsapp-like features to texting. Unfortunately there's been very little to show for it, with spotty support among carriers, and only Google and Samsung showing any real movement. Today the big four wireless carriers in the US -- AT&T, Sprint, T-Mobile and Verizon (parent company of Engadget) -- announced their "Cross-Carrier Messaging Initiative." It's a joint venture that they promise will "Create a single seamless, interoperable RCS experience across carriers, both in the U.S. and globally."
Vulnerability lets text messages steal emails from Android phones
Bogus text messages aren't just being used to send you to malicious websites or crash your phone -- in some cases, they can hijack your emails. Check Point Research has discovered a vulnerability in phones from Huawei, LG, Samsung and Sony that lets attackers use custom SMS to intercept all email traffic on target devices. The attack uses the common Open Mobile Alliance version of over-the-air provisioning, a carrier technique for deploying settings to new phones, to access emails. The attacks require different methods depending on the phone and available info (such as IMSI numbers and requesting PIN codes), but the result is the same: intruders trick users into compromising their phones through messages that pose as network settings changes.
Twitter temporarily disables tweeting via SMS after account hijacks
Twitter isn't taking any chances in the wake of hackers compromising the accounts of celebrities and its own CEO. The social site is "temporarily" disabling the option to tweet via SMS until there's greater security in place. Carriers need to address "vulnerabilities" in their systems, the company said, while Twitter itself planned to tackle its reliance on linked phone numbers for two-factor authentication. It'll reinstate SMS tweeting in regions that need it for "reliable communication," but it's working on a long-term solution.
Twitter CEO Jack Dorsey's account has been compromised, again
Securing accounts online can be difficult, especially when you've got a lot of legacy access points laying around. Today's example is Twitter CEO Jack Dorsey, whose Twitter account has suddenly been hijacked to send random messages and racial slurs. A quick look at the messages (which are quickly being deleted) identifies their source as Cloudhopper, an SMS service Twitter acquired back in 2010. While newer users may not remember this period, but there was a time when SMS was the main way to use Twitter, and some have noted that Dorsey was still posting using text messages as recently as this year. Twitter announced that it is aware the account has been compromised and is investigating. I confirmed on my own account that texting 40404 from my registered number still works, and identifies the tweet's source app as Cloudfront. With no option for other protections, tweeting from Dorsey's account (or anyone else's) is just as easy as pulling off the increasingly common SIM hijack to steal their phone number. This isn't the first time someone's used a backdoor to send messages from Dorsey's account, however. In 2016, the group calling itself "OurMine" hijacked a number of high-profile accounts, including @Jack, and alleged that Vine stored passwords insecurely. Update: Twitter has confirmed that Dorsey's account is again secure, and without explaining how the exploit worked, said "there is no indication that Twitter's systems have been compromised." That would be consistent with someone swapping the CEO's SIM or somehow spoofing the number, neither of which would require actually compromising Twitter or accessing his account directly. Update 2 (8:27 PM ET): Twitter explained what happened and it was as I suspected, "The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number." Journalist Brian Krebs recommended using a Google Voice phone number to register online accounts, since that can be secured with 2FA and hardware keys, which mobile carriers don't support.
