I've seen this attack first hand, causing a company thousands of dollars of damage (not including dev hours to resolve).
The exploit was on a mobile app that required phone verification upon initial onboarding, way before any other authentication can be performed. That made it relatively hard to reinforce the onboarding API call that triggers SMS.
It's a nasty problem, and effectively an arms race.
The exploit was on a mobile app that required phone verification upon initial onboarding, way before any other authentication can be performed. That made it relatively hard to reinforce the onboarding API call that triggers SMS.
It's a nasty problem, and effectively an arms race.