Pagoda Blog

SMS is one of the most common forms of multi-factor authentication. Unfortunately, it’s also the most vulnerable to interception. It’s understandable why SMS is so popular — it’s undeniably convenient to receive a one-time use code via text to verify your identity. And the ubiquity of SMS as a form of MFA (even banks use it!) has duped users into believing it’s more secure than it actually is. 

 

Let’s look at the facts, and see why SMS should not be used as a form of 2FA or MFA on accounts that harbor highly sensitive information. 

 

The vulnerabilities of SMS or text-based MFA

When you use SMS or text as an additional layer of security on an account, it works like this: You enter your username and password on the website or app and a text is then sent to your mobile device with a single-use code. You then enter the code where prompted on the website or app and … voila! You’re in. It’s fast and convenient but like most things that promise immediate results, it turns out to have some major flaws. 

 

The primary flaws of SMS include: 

 

SMS is not encrypted

Those single-use codes texted to your phone are not encrypted, making them far easier to intercept. SMS messages are sent in plain text which means your mobile phone carrier or anyone who gains access to your device (see SIM swapping below) can read your text messages. 

 

SMS is vulnerable to phishing  

It’s all too easy for a bad actor to obtain personal information through a phishing scam that then gives them access to your text messages. These scams often include the bad actor calling your mobile carrier and convincing customer service that they are the owner of the phone. 

 

Mobile carrier outages

If your mobile carrier experiences an outage, you will not be able to receive texts, preventing you from accessing your accounts. 

 

SIM swapping

The most major of SMS’s security flaws is SIM swapping. Let’s explore this flaw in more detail below. 

 

What is SIM swapping? 

Through a process called SIM swapping, bad actors can receive text messages from someone else’s phone number onto their own device. SIM swapping utilizes phishing campaigns to first glean personal information from the target. The cybercriminal may also gain this information through fraudulent phone calls or they may purchase it on the dark web. (If you’ve ever been the target of a data breach, your personal information is likely for sale on the dark web.) 

 

The cybercriminal uses social engineering tactics, such as impersonating someone the target knows and trusts, in order to trick them into sharing a password, social security number, home address, or other piece of identifying information. They then call the target’s mobile phone carrier and impersonate them using the stolen personal information. 

 

The bad actor claims that their SIM card is stolen or missing and asks to transfer their number to a new SIM card. Even though mobile carriers typically require a PIN to transfer phone data to a new SIM card, many mobile carrier employees can be tricked into believing the impersonator and transferring the data anyway.    

 

Once the cybercriminal has successfully transferred your phone number to a SIM card in their possession, they will now receive any text messages to their own device. This means that if you have SMS set up as your form of 2FA or MFA on an account, the cybercriminal will receive the single-use code. They can then use this code to reset your password and gain access to that account. 

 

Victims of SIM swapping may lose access to critical accounts such as bank accounts, social media accounts, and email accounts. They may also have their checking and savings accounts drained and highly sensitive personal information may end up for sale on the dark web. 

 

How do you know if you’re a victim of SIM swapping?  

It’s usually easy to tell if you’re the victim of a SIM swap. First, you may lose cell service and will not be able to send or receive text messages or calls. Sometimes, before losing service, you will receive a text telling you that your SIM card has been changed. 

 

Bad actors can also redirect text messages to their own device by using paid services that offer SMS marketing and mass text messages. Anyone can sign up for one of these ‘SMS enablement providers’ and sign an LOA (letter of authorization) claiming/verifying that they have permission to use the phone number and that they will not conduct any unlawful, harassing, or inappropriate behavior. Once signed, the bad actor can then send and receive text messages using that phone number. 

 

Steps to take if you’re a victim of SIM swapping

If you think you’re a victim of a SIM swap, call your mobile carrier immediately and report the events. They can help you follow the appropriate steps to recover your phone number and stop the unauthorized party from receiving your texts. You should also take additional steps to secure potentially compromised accounts. 

 

Below are 5 steps to follow if you experience a SIM swap:   

 

1. Call your mobile phone carrier and report the SIM swap. 

 

2. Change passwords on all your accounts. 

 

3. Implement 2FA or MFA on all your accounts using something other than SMS, like an authenticator app or biometrics.

 

4. Contact your banks to place alerts on your accounts and to request monitoring for suspicious activity. 

 

5. Contact your local law enforcement agency to report the SIM swapping and file a complaint with the FBI’s Internet Crime Complaint Center (IC3). 

How to protect yourself from SIM swapping and SMS fraud

SIM swapping is only becoming a larger threat, especially with the rise of large-scale data breaches that leak the personal information of millions of people. (One relevant data breach is the 2021 cyberattack against T-Mobile.) Everyone should take the following steps to protect themselves from SIM swapping: 

 

Use another form of identification for MFA

The first thing you should do to protect your information is to stop using SMS as a form of MFA on high-stakes accounts that contain highly sensitive data. These accounts include your bank accounts (when possible — some banks don’t yet have another option) and business accounts such as Google Workspace and Office 365. There are other more secure forms of MFA such as biometrics, an authenticator app, or a hardware authenticator. We lay out the different forms of MFA and the vulnerabilities and strengths of each in this blog post.  

 

Learn to recognize phishing attempts

The better you are at recognizing a phishing attempt, the less likely you are to fall prey to this type of cyberattack. A company’s entire network can be compromised if just one employee clicks a malicious link or shares a password via a phishing email. Take the time to train all your employees on the dangers of phishing attacks and how to spot them. 

 

Keep personal information off the internet

We tend to overshare on social media but any piece of personal information that we post on Facebook, Instagram, or Twitter can be used by a cybercriminal in a phishing campaign or to guess your password and/or the answers to security questions intended to safeguard your accounts. Never share photos of identification cards such as a Drivers License, health insurance card or even a vaccination card online or via direct message. Social media platforms can experience their own data breaches and any personal information you share via direct message could then become public. 

 

Remove your phone number from email accounts

Email providers often ask for a phone number as a way to verify and/or recover the account. This may even be required by your email provider (and other online accounts) upon initial setup. Often, however, you don’t have to keep your mobile phone number associated with the account after setup. We recommend taking the time to go back into any accounts connected to your mobile phone number and removing that number as a form of backup or identification. 

 

Take steps to secure your mobile phone account  

In a previous post we shared tips to keep your smartphone from getting hacked. It’s also important, however, to protect your mobile phone account. Your mobile phone account should utilize MFA, starting with a strong, unique password. We recommend generating and storing this password through a password manager like Passportal by N-Able. 

 

Next, add a PIN number or passcode as the second layer of security. Although, as we mentioned before, employees can be tricked into allowing access to your account even without a PIN, this extra layer of protection can still deter someone from hacking into your account.  

 

If you receive an unexpected phone call from someone claiming to work for your mobile phone carrier, never volunteer personal information. Instead, ask for information regarding the call such as a reference number and then hang up and call the number for your mobile phone carrier that’s listed on their website. 

 

SMS trades security for convenience

Although we are known for saying that any form of MFA is better than no MFA, in some cases, SMS may provide less security than expected. We don’t believe it’s realistic, or necessary, however, to shun the use of SMS entirely as a form of 2FA or MFA. What we do recommend is to deactivate SMS across highly sensitive accounts and instead implement a more secure form of MFA. You may also want to consider passwordless authentication to strengthen your account security. . 

 

Feature Photo by LinkedIn Sales Solutions on Unsplash

 

Related reading: 

How to Setup Passportal for Your Entire Team — And Secure Your Account Credentials

How a Cybercriminal Identifies Their Next Target

4 Types of Social Engineering Attacks and How to Prevent Them 

 

Want to get more posts like these in your inbox? Sign up for the Pagoda newsletter and we’ll send you the occasional email with content that will sharpen your technical skills, from cybersecurity to digital marketing. 

 

Did you know we also have a weekly LinkedIn newsletter? Make sure to subscribe for weekly actionable IT advice and tech tips to set your business up for success.

 

-------------------

 

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.