Why unauthenticated SMS is a security risk

Multifactor authentication that uses SMS messaging as a second factor is vulnerable to simple hacks. User education is the best defense.

As our world moves away from password-based authentication to multifactor authentication (MFA) and other authentication solutions, different threats have appeared. One of the most interesting is that of unauthenticated short message service (SMS). SMS is the technology behind most of our default text messaging on cell phones. SMS has become the new killer app, quickly replacing email and voice calls as the primary method most people use to connect to each other.

There is a huge, growing security problem with SMS. It has become the root behind many types of cybercrime. People have lost hundreds of millions of dollars and access to their most critical, trusted services and accounts because of it. The key problem is that SMS accounts are tied to people’s cell phone numbers. That is the extent of SMS’s authentication — no more, no less — and that’s the problem.

Attackers can execute several types of cyberattacks through SMS. I discuss two of them here. One requires moderate sophistication to pull off. The other is child’s play.

SIM swapping

If someone gains control to someone else’s phone number, they gain access to their SMS messaging. This didn’t used to be a huge deal, but now the most popular type of MFA is using SMS messages as the second factor of authentication. It’s hard to sign up for a bank account, email service or even security service where they don’t want your phone number for MFA via SMS.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!