Yesterday, we shared the news about an SMS security vulnerability allowing spoofing that was uncovered by Pod2g. Of course, this affects iPhone users along with most other cellular handsets. So, will there be a fix in iOS 6 or even a patch for iOS 5? Well, Apple says there’s already a solution.
When Engadget took it upon themselves to confront Apple on how they were planning to deal with the situation, this was the response:
Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.
There you have it! The solution is converting all of your friends and family to iDevice owners, if you haven’t already, and have them sign up for an Apple ID account for iMessage. Even if you decide iMessage isn’t the best solution, there are plenty of other, more modern instant message services that could suit your communication needs.
Pushing the sales pitches aside, it seems a bit odd that we’re complaining about technology nearly three decades old. In fact, this isn’t even a flaw Apple could likely fix on their own as SMS is a global standard not defined by Apple.
In addition, while spoofing can be combated to an extent, the weak link is often, if not always, the recipient. I’m certain you’ve seen emails spoofing eBay and bank warnings, we’ve reported app scams, and there will always be spam texts.
Looking at the examples at the top of this article, it’s obvious the one on the left is a scam. No matter what phone number it’s from, the message is clearly a lie. However, if the one on the right were to come from your bank’s SMS number, you may be inclined to believe it’s legit. Which brings me to some final words of advice.
Informed to spoofed victims for quite a few years already, this logical approach may be your best defense. If you’re ever skeptical about something, go to the secure website that you know is legit. Don’t click any links, enter it manually if you must. If it’s a company, you could call their legitimately advertised support number. If it’s a message from a person, just call them and verify. This small amount of extra time spent early could save a lot of time wasted later.