It’s official… SMS is not a security tool

UPDATE: The three major US mobile carriers have closed this particular loophole… however, it is not clear if carriers in other parts of the world are still vulnerable. SMS still should not be a security tool, IMHO…

Using SMS as a second factor for authentication has always been a bit iffy, due to the risk of “SIM swapping” attacks. However, many people (and organizations) have been willing to take the risk, as the general consensus has been that SIM swapping is a relatively rare and somewhat difficult attack to pull off.

Well, aside from the fact that SIM swapping does seem to be an easier attack to pull off than we would like to think, it turns out that attackers don’t have to pull off a SIM swap to gain access to your SMS messages, and with them, your 2FA codes.

For the princely sum of USD 16, one can sign up for a service which will intercept a target phone number’s SMS messages and send them to the number of your choice – as long as you are willing to provide a signed “Letter of Authority” in which you promise to be the owner of said phone number. Apparently, your word (or that of an attacker) was good enough for at least one of these services.

While the specific service mentioned in this article now claims to have made changes to their service to prevent such attacks, there are apparently a number of such services available out there, due to the basically insecure nature of SMS and its underlying protocols.

It is time to STOP USING SMS for 2FA and remove your mobile phone numbers from online accounts. Mobile phone numbers and SMS are not fit for purpose as a security tool and there are much better options available: Authenticator apps like Microsoft Authenticator or Google Authenticator or FIDO2 hardware tokens like Yubikey.

Leave a Reply