Why SMS-based Phone Verification Is the Hidden Threat to Mobile Security
SMS messages can be spoofed by malicious actors, or intercepted by man-in-the-middle attackers. What’s the alternative for mobile authentication?
Two-factor authentication (2FA) is an essential security measure for any service or app you sign into. There are different identities — and a variety of approaches to verifying them — which are used as the second factor for authentication. For authenticating sign-ins and transactions on mobile apps, SMS-based verification has emerged as a de-facto standard: you receive a text message with an OTP (one-time password), confirming that you are the phone’s owner.
This method of mobile authentication, however, isn’t actually as secure as you may think. Not only can an SMS message be spoofed and actually originate from a malicious actor, but they can also be read and intercepted by man-in-the-middle attackers.
SMS is vulnerable by design
SMS runs on SS7 (Signalling System 7), which allows different phone networks to communicate with each other, passing on calls and text messages. However, as a protocol, SMS works by ‘store-and-forward’: the messages are replicated in many places.
SMS was originally designed to be used for machine-to-machine communications, not humans, meaning it inherently lacks the secure encryption needed to prevent bad actors from reading confidential information. Black-Hat hackers can — and have — infiltrated this global system, enabling them to listen to calls, read SMS messages, and track a phone’s location.
Crucially, this means that not only can private conversations be leaked, but Black-Hat hackers can also access 2FA information via this network, allowing them to sign in on your behalf to any number of accounts you’ve enabled SMS 2FA for. This isn’t just theoretical, either — mobile network breaches have been behind major security leaks in the past.
SIM swaps are another form of maliciously accessing a user’s identity. Although SIM cards are securely encrypted, fraudsters can provide information about a target to convince telecoms companies that they’ve swapped to a new SIM card, allowing them to take over the victim’s phone number.
Are there any alternatives?
While many people, even developers, still consider SMS-based phone verification the standard, there are alternate mobile authentication methods already in existence. Some apps and services ask for an email address instead, but this would be a regression since email-based verification is open to even more avenues for malicious actors and third parties to intercept or spoof a password.
Opting for a code via voicemail is also insecure, since voicemail is only protected by a PIN code, usually four digits, which can be accessed by phone malicious actors with just as much ease. Unfortunately, any passcode-based authentication method carries a degree of risk. Yet we still rely on them in so many facets of our life, because apps and service providers need an automated way to quickly verify a user’s identity — as an individual, rather than a spambot — without risking their privacy.
Mobile 2FA doesn’t have to use a code
2FA shouldn’t have to involve waiting for a second code to back up your password. In fact, modern security shouldn’t even have to involve a username and password at all. It sounds difficult to even imagine proving our identity to apps and services without these staples, but with security experts having long emphasised the flaws in this system, several methods of passwordless verification have been developed, verifying identity through more sophisticated methods which are much harder to fool.
However, the uniting factor between biometric, hardware, and app-based solutions is that they all necessitate adding extra steps to the authentication process on the user’s end, whether it’s carrying around a device, fiddling with a QR code, or entrusting your biological identity to a server — adding friction, and ultimately detracting from an easy, streamlined user experience.
What if we removed user action from the equation?
In an ideal world, passwordless mobile authentication would be easy, fast, and effortless, while still prioritising security and privacy. In fact, that world is already here, and makes use of the cryptographic security of the SIM card in your phone.
A solution like Instant PhoneCheck, for example, works so much faster not by removing any steps — it simply completes them for the user, rather than making them prove themselves. Phone numbers are instantly recognised as legitimate through a check of the SIM card, without any need for human input — and no human input means no opportunity for human interference.