Photo by FLY:D on Unsplash

April 6, 2021

5 things you didn’t know about SMS login security

Parth Awasthi
Head of Product

Two-factor authentication (2FA) is an essential security measure for any service you sign into. For authenticating sign-ins and transactions on mobile apps, using SMS to verify phone numbers has become the norm. 

With this method, the user’s expected phone number is sent a text message with an OTP (one-time password), and if the user enters the correct OTP back into the app, it is assumed that they are the phone’s owner.

But if your mobile application uses SMS OTP to verify your users, there are a few security essentials you really need to know about how this system works behind the scenes. Read on...

1. SMS messages aren't encrypted

When you transmit secure information such as passwords online, that data is usually encrypted – meaning that it’s turned from its original form (‘plaintext’) into an encoded form (‘ciphertext’) that can only be accessed by authorised parties. 

SMS, however, runs on Signalling System 7, a protocol for machine-to-machine communication from 1975, which wasn’t designed with human intervention in mind. That means anyone able to access a network can see SMS messages – including sensitive information such as 2FA codes – in plaintext. 

2. SMS messages may never get sent

SMSCs (SMS Centres) work using the ‘store-and-forward’ technique. They receive the message from the sender, save it, and then attempt to forward a copy to the recipient on a ‘best-effort’ basis (learn more here). 

As well as the obvious security problems when it comes to sensitive information like password reset codes, this also means that in some cases, the message simply never arrives – which is why you still need that ‘resend code’ option. 

3. Scammers can spoof your company's identity

You’ve probably received an SMS message out of the blue where the sender is listed as your bank, post office, or pharmacy, despite not having that company’s details saved to your phone. This is possible because most Mobile Network Operators support using Alphanumeric senders as the origin of SMSes. Achieved with ‘SMS gateway software’, this has legitimate origins: it’s convenient for a business to identify themselves when they send important information to users en masse, as customers might ignore a random phone number.

Unfortunately, as is often the case, this technology has been used by criminals to masquerade as a business and steal information. Since there are few checks, it is possible for you to receive an SMS that claims to be from a sender with no real association. Attackers impersonate banks and businesses, attempting to trick users into following a malicious link or replying with personal or financial information.

Photo by Rodion Kutsaev on Unsplash

4. SIM swap fraud completely bypasses SMS 2FA

The good news is the likelihood of an attacker breaking into the SS7 network to find 2FA information is quite low. Unfortunately, though, there’s a steadily rising number of cases of SIM swap fraud as a more sophisticated way to steal this information.

In a SIM swapping attack, the fraudster will either bribe a telco employee or use social engineering to assume a target’s identity, saying that they’ve lost their phone and want to switch to a new SIM card. 

This means all messages and calls meant for the target’s phone number are now rerouted to the attacker, who then swiftly triggers SMS-based security to break into financial accounts and reset passwords before the victim can take action. 

5. You don't have to use SMS for mobile authentication anymore

It’s clear that relying codes, especially through a method as insecure as SMS, is flawed. But other methods, such as biometric and hardware authentication or downloading external apps, aren’t universal – you can’t expect all your users to adopt them.

Luckily, there’s now a method of mobile authentication that has all the conveniences of SMS without any of the security or UX problems. 

With a tru.ID solution, the only thing you need from your user is permission to process their phone number. It’s so simple: the user enters just their mobile phone number, and the app communicates instantly with the MNO (mobile network operator) to verify that this number is the one linked to that SIM. It’s frictionless, invisible authentication that looks like magic to the user, and it can also mitigate SIM swap fraud. 

tru.ID: Mobile Authentication, Reimagined

Instant PhoneCheck provides instant authentication of the mobile number of the connected mobile device, greatly improving the user experience and reducing drop-off rates.

Strong SubscriberCheck provides real-time verification of the mobile number and SIM card identity, providing a high-security, low-friction mobile authentication solution that also eliminates the risk of SIM Swap fraud. Or, if you really, really want to stick with SMS OTP, and so need an easy add-on security solution, we offer:

Active SIMCheck, which allows you to check that there has not been a SIM swap before you send the SMS OTP to the user. (Of course, there are still all the other risks related to SMS OTP, but this is a big improvement and a short-term fix while you plan the full solution.)

Try us, follow us, join us

  • To see our products in action, schedule a demo now or sign up to start testing and integrating our APIs 
  • Follow us on LinkedIn and Twitter
  • Want to join the team? We’d love to hear from you.