top of page

The SMS Security Nightmare Years Later: Why It Matters

SMS security

Can you believe it? SMS has been around forty years. "Like any forty-year-old technology, SMS is antiquated compared to its modern counterparts. That’s especially concerning when it comes to security," says Eugene Liderman and Roger Piqueras Jover of Google.

Remember back in 2016 when the US National Institute for Standards and Technology (NIST) draft guidelines stated that SMS is not secure enough for authentication purposes? I know what you're thinking, and you're correct. Contrary to the warnings by one of the biggest security standards bodies, nothing has really changed since then. SMS still is used by almost every major online or SaaS application as a way to two-factor authenticate.

In an age where digital privacy and security are paramount, Short Message Service (SMS) stands out as a glaring vulnerability in our communication infrastructure. Despite the growing recognition of its security shortcomings, the telecommunications industry faces considerable challenges in moving away from SMS, and Apple's hesitation in adopting more secure messaging protocols, like the Rich Communication Services (RCS) protocol, is a pivotal factor. SMS: A Relic with Security Gaps

SMS, a technology dating back to the early days of mobile communication, has long been the default method for sending text messages. However, it is plagued by several security gaps that have made it increasingly unfit for modern communication.

1. Lack of End-to-End Encryption

The most glaring shortcoming of SMS is the absence of end-to-end encryption. “SMS is not an encrypted protocol and is vulnerable to abuse. SMS authentication can be intercepted in a variety of ways and should not be trusted as a stand-alone MFA protocol", says Christopher Cain, Threat Research Manager, OpenText Cybersecurity. This lack of encryption has severe privacy implications, as users have no control over who can access their messages.

2. Vulnerability to SIM Swapping

SMS is vulnerable to SIM swapping attacks, where attackers trick mobile carriers into transferring a victim's phone number to a new SIM card under their control. Once done, they can intercept SMS-based two-factor authentication codes, gaining unauthorized access to various online accounts.

3. Phishing Threats

SMS is also a common vector for phishing attacks, where malicious actors impersonate legitimate entities to trick recipients into revealing sensitive information. The limited visual elements in SMS make it challenging for users to verify the authenticity of messages.

4. Inadequate Authentication

SMS-based two-factor authentication (2FA) is not foolproof. It relies on the assumption that the possession of a phone and its associated phone number equate to a secure authentication method. However, this assumption has been proven wrong by numerous incidents of SIM swapping. Users Are Becoming More Aware of the Security Problem That Follows Their Phone Around Users increasingly seek a more secure messaging choice than SMS due to growing concerns about their privacy and data security. A new infographic from YouGov outlines what the sentiment in the user community across iOS and Android currently is. As individuals become more aware of these vulnerabilities, they are actively seeking messaging alternatives, such as secure messaging apps and protocols like Signal, WhatsApp, or RCS, that offer robust encryption, authentication mechanisms, and safeguards to protect their confidential conversations and sensitive information from prying eyes and cyber threats.

SMS security statistics

Why The Industry May Struggle to Move Away from SMS

Despite these glaring security issues, moving away from SMS is not as straightforward as it may seem. Several factors contribute to the industry's hesitance:

  • Legacy Infrastructure: SMS is deeply entrenched in the telecommunications infrastructure. Replacing or upgrading it would require investments in both technology and regulatory changes. However, this seems like a fair trade to prioritize user security.

  • Interoperability: Achieving universal adoption of a new messaging protocol like RCS is a massive challenge. With numerous carriers and platforms involved, achieving a seamless transition is no small feat. But 500 carriers, the majority around the world, have adopted RCS already. This is a bit of a non-issue considering the momentum RCS has.

What Can Be Done?

Given the industry's inertia in addressing SMS security issues, regulators or standards bodies could step in to protect consumers. They can play a pivotal role by:

1. Setting Security Standards: Create minimum security standards for text messaging services, including the adoption of encryption and authentication mechanisms.

2. Encouraging Secure Messaging Protocol Adoption: Incentivize carriers and device manufacturers to adopt a more secure alternative to SMS. At the very least, they could create awareness like Google has done with its #GetTheMessage campaign, which is focused on RCS adoption.

3. Holding Carriers and Device Manufacturers Accountable: Hold industry players accountable for security breaches that occur due to vulnerabilities in SMS, while encouraging them to invest in more secure alternatives.

Apple's Hang Up Matters Too

One of the key players in the SMS vs. a more secure messaging protocol debate is Apple. As the other major player in the smartphone OS space next to Android, Apple's reluctance to fully embrace a more secure messaging protocol has hindered adoption. For example, Apple hasn't formally responded at all to the calls by Google and others to adopt RCS, except for CEO Tim Cook telling one fan to 'get your mom an iPhone'. If Apple were to put user security instead of blue bubbles and iMessage first and adopt a more secure messaging protocol, it would significantly accelerate the transition away from SMS towards a more secure messaging ecosystem. All this to say, it's high time for the industry to take action and prioritize user security in the realm of mobile messaging.


bottom of page