Security hidden trouble of SMS verification code

In this era, almost everyone is using a mobile phone. As long as you use a mobile phone, there is no one who doesn't know the SMS verification code. As the speed of mobile phone upgrading is getting faster and faster, major apps are also born. Generally, using APP requires login authentication, and the most common is to use mobile phone number as identity authentication. Due to the high usage rate of mobile phones, telephone numbers are unique.

After careful calculation, each of us may have many accounts tied to our mobile phone numbers. For example, Alipay, WeChat, Tencent Video, etc. , the more accounts you bind, the more personal information you contact. I believe everyone is familiar with the presentation of SMS verification code. Generally, when registering an account, you will receive a random verification code message, which mostly reads: "Dear customer, you registered on a website, and the verification code is xxxxxx. Please use it within half an hour, and it will be invalid after expiration. "

When you fill in the verification code, you pass the registration. If the verification code is not filled in within the specified time, you can click the "Send Verification Code" button again, and the system will send a short message again for the second verification, so as to determine the ownership of the user's mobile phone number.

In the current mobile phone market environment, SMS verification codes often appear in our daily lives, so is there a hidden danger in SMS verification codes?

There must be. At present, the threat of SMS verification code mainly includes several aspects:

First of all, SMS Trojan on the smartphone platform. Trojans appeared in large numbers in the spring of 20 14, mainly based on Android platform. One of the most important ways for Trojans to enter mobile phones is phishing messages. Especially at present, customers have to go to enterprises and institutions to handle affairs, and the follow-up feedback is basically short messages, such as notices from banks, payment companies and government agencies. This kind of trust will give phishing messages room to display, and phishing messages will always send content in various official tones, and there will be links inside. After the user is induced and clicks Enter, an APK prompt will be downloaded for installation. Once installed, the phone will be hit by a Trojan horse.

Moreover, the spread of Trojans is very rapid, and it will quietly send various fishing messages to contacts on mobile phones to expand.

Many cases can be seen in the analysis report of Alipay thieves. A Trojan horse is widely used in Alipay fraud. The criminals tricked the victim into downloading and installing Trojans through the QR code, and then reset the victim's Alipay and Taobao accounts to steal money. This Trojan has formed a very complete industrial chain: from horse makers to selling and renting horses, to fishing, cheating, washing numbers and transferring money.

Second, card exchange attack and clone attack. SMS verification code is actually based on mobile phone number (SIM card/carrier service), not mobile phone equipment. As long as you have the same card, you can naturally receive the verification code and reset your account. According to the operator, ID card and service password are required to change the card. If you forget the service password, you also need to provide the last five telephone contact records. The weak link here is mainly that operators in some areas are not strict enough in the identity verification of card replacement personnel. In the early years, when the structure of SIM card was simple, you could even clone a card directly. However, with the development of technology in recent years, the management in this area has become more and more strict.

Third, radio monitoring. In fact, it is to monitor users through pseudo base stations, so as to obtain short message content and then carry out theft activities.

At present, in view of these three aspects, the Android system has tightened the SMS authority, and the operators have also strengthened their security awareness in maintenance, and now the management is becoming more and more strict.