Skip to content

Brown’s Bytes – How Secure is an SMS Message?

Welcome to Brown’s Bytes! Your weekly insight from Mobliciti’s CTO Andy Brown. Follow #brownsbytes

11th July 2019

This week I thought we could take a look at an area that everyone uses, but rarely questions…

So, how secure is SMS?

As is often the case the answer lies in the past. SMS was originally a bit of a throwaway bi-product of the GSM mobile phone standards. And those standards date back to the 1980s with the first text message sent in 1992.

Despite the fact that the modern world now uses SMS for all kinds of communication, at its heart there is still the basis of it being a bit of a bolt on service. As an example, there are no guarantees when your message will arrive or even that it will arrive at all – various studies have shown that between 1% and 5% of all SMS messages are lost!

The whole thing is fire and forget…

And more concerning is, there is no check to see if the intended recipient got the message.

And this matters more than ever!

Why??? Simple answer – SMS Token Codes

You must have noticed in your personal life that everything is moving to multi-factor authentication (MFA). This is a very good thing, but the default setting for many services is to use SMS one-time PIN as the MFA option.

And, let’s be fair, it is way better than static username and password.

Now in the Enterprise space we’ve been banging the drum about the need for MFA much longer and there are (hopefully) more options available for what the second factor is, but it is surprising how often SMS Token Codes are considered an equal security option to the others.

But they’re not – SMS can be compromised… it’s easier than you think to hijack someone’s number to intercept a text message.

I’ve spoken before about the fact that not all MFA is equal in security – this specifically is an area where SecureAuth lead the market by putting in place checks before a one-time PIN is issued to make sure that you’re not sending the PIN to an attacker.

MFA is good – but SMS protection needs to be considered.

Get in touch if you want to find out more.