Hackers have found a way to use a barely used feature of mobile phone networks – that were put in place 19 years ago – to get around security systems from Apple, Microsoft, Okta, Signal and other software providers.
Jamieson O’Reilly, CEO of cybersecurity firm DVULN, says the feature can be used to bypass multifactor authentication (MFA).
It’s still enabled on mobile phone networks worldwide and lets attackers divert voice calls if they can fool phone owners into clicking on a link that contains a ‘tel://’ prefix, followed by a code that diverts calls to a new number owned by the attacker.
The AFR says the feature became more of a risk after companies started using voice calls as a fallback in MFA.
This means that attackers could divert a victim’s voice calls and then bypass MFA by requesting the code be sent by voice.
Mr O’Reilly said the recent rise in AI systems capable of faking an individual’s voice meant that call diversion could also be used in other attacks where computers are used to impersonate the recipient of calls.
A Telstra spokesman said the phone company had yet to see any abuse of the tel:// prefix on its system, but would start to block any SMS messages it saw with malicious tel:// links.
Is that yet another potential scam to add to your list?
.
