You have had SMS messages since the birth of mobile phones because their functionality was to make and receive calls, and send text messages.
Every mobile network operator supports SMS. But as with technology something better always comes along. Not that people have stopped using SMS; alternatives like Signal and Telegram exist.
The advantage SMS messages have is that it’s available to everyone. You don’t have to pay, download, or install it from app stores. It’s built-in.
However, the disadvantage is that they are open books. Anyone from your mobile network carrier, to the government, hackers, or criminals can read them.
The scariest part is that 2FA codes are routinely sent over SMS, especially by banks, etc.
The problem is you can hide nothing from your cellular company. And don’t say I have nothing to hide, please.
And since SMS isn’t end-to-end encrypted it’s an open invitation for anyone to view them. Therefore, they can do profiling, gather data on you, and sell it to third parties (one reason you get spam messages).
Would you want that? Of course, no!
Additional reading: Why must we get paid for our data
In the United States, according to ECPA, police can access your SMS messages that are over 180 days old without your consent. With a warrant, for messages that are less than 180 days old.
Signalling System 7 (SS7) is another major issue.
Hackers have learned a way to exploit SS7 that gives them access to your calls and texts.
And then exploit your financial information to their ill intent ways.
According to the news outlets, access to SS7 is widely available to both criminal and foreign governments.
For those of you who don’t know, SS7 is a telephony signaling protocol that enables the underpinng of mobile networks across the globe. Thereby allowing users to connect, pass messages, ability to roam, and ensure correctness in billing. And you guessed it, you can use it for sending the SMS.
As far back as 2008, the SS7 protocol is considered an unsafe means of communication. Yet you won’t find anything done to improve its security.
If I may indulge you, take a look at the following sources of information to know what it means SS7 is unsafe:
- Do not pretend SMS is secure
- Mobile network is used for spying
- SS7 gives unrestricted access at spying
- How you’re tracked around the world just like a Hollywood spy thriller
- SS7 spying flaw makes cellphones a hub of data collection and goes unaddressed to this day
Despite all of the above why is it that governments or agencies continue to allow it? Because they get a trove of user data.
I was watching “The Terminal List” starring Chris Pratt on Prime Video and he specifically asks the journalist to use Threema for any mode of communication between them. Later, I saw one of the posts on Threema’s LinkedIn page appreciating how the showrunners highlighted the need for secure and E2EE messaging instead of SMS.
One day on Reddit, I read a post about how someone woke up and found out the funds in their Binance account was emptied without any notification. The affectee said he had 2FA turned on and was at a loss how could this have happened. Even if someone broke in, how did they bypass 2FA?
Bypassing 2FA is next to impossible unless you’re a victim of SIM swapping. I gulped. The reason he didn’t get any notifications was that the perpetrator swapped his SIM. If he had been notified, he could’ve at least tried freezing his account and stopped the funds from getting stolen. The fact that it happened without ruffling any feathers was something unheard of.
Mobile carrier service providers can transfer the number of a user from one SIM card to another if their phone went missing or was stolen. Hackers use it to great effect. They can have the mobile service operator believe they are the user and instead have the number transferred to their SIM card.
You know what that means.
A word to the wise. Whitelist withdrawal addresses on exchanges where you hold your crypto as that prevents unauthorized withdrawal. If someone were to change your info on file such as an email, withdrawal activity is automatically restricted for 24 hrs. giving you enough time to take remedial measures.
That’s why “Authy” is a big NO when it comes to 2FA as it’s linked to your phone number. Instead, check out “Aegis” or “KeePass” two-factor authentication clients that are open source and if you ever decide to switch devices, you can export their backup and import them into the app on your new phone. Though you must exercise care when moving your secret codes; no one else is watching or have access to them.
Google and Microsoft authenticators and other similar apps lock you in their ecosystem and don’t let you keep the secret codes to services. Be wary of them because, in the event of a hack, you risk losing your data.
Below is a great tutorial on TOTP by Techlore.
Back to SIM swapping.
Many banks today don’t offer 2FA through authenticator apps and rely heavily on SMS for OTP. So once they have your number, they can steal and hurt you at will. Per the FBI, SIM swapping attacks attacks have increased 15-fold over the last few years.
Also note, that any malware on your phone can have access to your SMS messages because they aren’t encrypted.
iMessage on Apple is an option that’s E2EE but only when texting among Apple users. However, even with E2EE enabled, Apple can access your messages, why? Because they are backed to iCloud without end-to-end encryption. Moreover, 2FA codes are still sent as regular SMS messages. So it defeats the purpose of a truly secure messaging app.
Rich Communication Services (RCS) protocol that Google now implements in its Messages app is another such option. The only caveat is, that it’s not E2EE. At least not without Google’s extension which when used with RCS, makes it end-to-end encrypted. Overall, the protocol makes it cumbersome to achieve the secure messaging goal.
Secure SMS alternatives
Well, it’s not “WhatsApp”! And certainly not “Messenger.” In The Terminal List, Pratt’s character calls out WhatsApp communication as being compromised from the start and we all know that because it’s Meta (Facebook) and the company abuses and collects your data which is ingrained in their operating model.
Some apps are more secure than others. However, internet-based third-party messaging apps are all that anyone uses today to chat replacing SMS messages to a greater extent. But SMS is here to stay as most services rely on them. And it’s going to be a while before the world completely switches over to the alternatives.
“Threema” and “Sessions” doesn’t require your phone number or name, etc. to sign up to their platforms. You’re assigned an ID and you use it to communicate with others. The prerequisite is the other person must also have the app to ensure secure conversation flows.
To wrap it up
SMS is fundamentally broken. Enough said. Secure third-party messaging apps are your best bet.