SMSChain reply to CoinAnalysis.io
SMSCHAIN has recently been accused of being a scam by the CoinAnalysis.io website. We would like to thank them for giving us another opportunity to thoroughly explain our project to the public and to answer some of the questions which have been raised.
The first cause for suspicion rasied can be summarised by the general statement “Too good to be true.” This is based on the incorrect calculation their analysts make when working out the average price of a text message:
“According to SMSChain this means you would earn 150$ per month. Per 100 SMS you get $15 making a single text message worth $0.15 Now why would any company want to pay 15 cents per SMS? There are professional services, such as Twilio, whose messages cost around $0.0075 Do you see the difference? For roughly 1 cent you get a professional service, whereas for 15 cents you get your SMS delivered in a unprofessional manner.”
SMSCHAIN clearly indicates the approximate potential income of app users based on average daily sold text messages. To earn $15, a user needs to sell approximately 100 SMS/day, which adds up to 3000 text messages per month. One can easily calculate the price per text message by applying simple math: 3000 text messages / $15 = $0.005/text messages. If these calculations were right, it would indeed make no commercial sense to pay 15 cents for a service which can be purchased at a much lower price. However, this price is in fact 30 times higher than that stated on the SMSCHAIN website and in our white paper.
It is very important to understand that the average price of an A2P text message around the world is about $0.03. The price goes as high as $0.085 per message in many countries. Here is an example of the price of SMS delivery to Germany from the same website that CoinAnalysis.io uses for reference:
People around the world already receive verification codes from numeric SIM-originating routes simply because this is a much cheaper way of delivering text messages. In some countries where prices are higher, most transactional SMS traffic is delivered via SIM routes. SMSCHAIN has not invented anything new, it is just decentralising the existing multibillion dollar market.
The second argument which CoinAnalysis.io brings is a bit stronger. It is a legitimate question which requires an answer. This is the reason why we have decided to make a post.
“The security issue alone is just too high: Users would be able to read the SMS their phone sends, allowing them access to others 2FA codes, OTPs (One time passwords) and other sensitive information. They might even be able to alter the SMS for a phishing attack.”
Practically speaking, there will be no increase in vulnerability in comparison to current solutions. On the contrary, companies that are directly or indirectly involved in the delivery of OTP text messages can see the content of messages and this is much worse because:
a) traffic can go through dozens of companies before it reaches the final destination.
b) since it goes through so many centralised channels, there are multiple points of failure that currently lead to many serious security vulnerabilities. Almost any employee in a SMS Aggregator company can see millions of such OTP text messages in unencrypted format.
c) most A2P SMS messages are transmitted via SMPP 3.4 protocol without any encryption or security. Any Internet service provider can also monitor all text messages in unencrypted format by monitoring the incoming traffic.
Due to the aforementioned vulnerabilities in the existing SMPP protocols, 2FA is specifically designed so it is required to simultaneously possess two authentication components in order to log in or trigger an action. For example, to log in to your Gmail account, you may need your email, password and a verification code. You cannot log in unless you have all of these components known to you at the same time. Due to the existing vulnerabilities, companies never send any sensitive information via SMS, such as credit card pin codes or real account passwords.
Since SMSCHAIN is a decentralised platform which will potentially involve hundreds of thousands of miners all around the world and will have sending entity-to-miner encryption, it will be more secure than existing centralised channels where millions of unencrypted OTP text messages are accessible and downloadable by dozens companies which are directly or indirectly involved in the SMS delivery process.
So, although the complexity of these networks means that they are never completely secure, rest assured that SMSCHAIN is a step forward in A2P SMS security. We look forward to feedback from CoinAnalysis.io and anyone else who’d like to comment about these points.