As our world moves away from password-based authentication to multifactor authentication (MFA) and other authentication solutions, different threats have appeared. One of the most interesting is that of unauthenticated short message service (SMS). SMS is the technology behind most of our default text messaging on cell phones. SMS has become the new killer app, quickly replacing email and voice calls as the primary method most people use to connect to each other.There is a huge, growing security problem with SMS. It has become the root behind many types of cybercrime. People have lost hundreds of millions of dollars and access to their most critical, trusted services and accounts because of it. The key problem is that SMS accounts are tied to people\u2019s cell phone numbers. That is the extent of SMS\u2019s authentication \u2014 no more, no less \u2014 and that\u2019s the problem.Attackers can execute several types of cyberattacks through SMS. I discuss two of them here. One requires moderate sophistication to pull off. The other is child\u2019s play.SIM swappingIf someone gains control to someone else\u2019s phone number, they gain access to their SMS messaging. This didn\u2019t used to be a huge deal, but now the most popular type of MFA is using SMS messages as the second factor of authentication. It\u2019s hard to sign up for a bank account, email service or even security service where they don\u2019t want your phone number for MFA via SMS.One of the popular types of this attack is called SIM swapping. SIM stands for subscriber identity module. SIMs, either stored virtually on a cell phone\u2019s non-transient memory or on a secondary micro-SD memory card, contains the information that ties your cell phone to your cell phone provider\u2019s cellular network. It contains your phone\u2019s unique identifying number (a 64-bit value called the international mobile subscriber identity,\u00a0or\u00a0IMSI), the currently associated phone number, and other relevant information. It can also store other data, such as your calling lists and app data.We\u2019ve all been involved with our phone\u2019s SIM information, when we either had to swap out old and new SIM cards between phones, when we got a new or replacement phone. Either you move the old SIM card to the new phone and then activate it; or you have your cell phone provider transfer the necessary SIM information to the new phone or new SIM card by calling technical support and following a standard activation process. Either way, at the end of the SIM information transfer, the newly activated phone accepts calls (and SMS messages) on the new phone. The old phone no longer gets calls or SMS messages.Attackers have long tricked cell phone network providers into doing unauthorized SIM swaps. The attackers have usually phished the intended victims to learn enough information so that they can fake being the legitimate cell phone account holder. This usually means they get the victim\u2019s phone number, cell phone provider company name, and their logon name and password\/PIN for the victim\u2019s account on the cell phone provider\u2019s network. Then they call the cell phone provider\u2019s tech support and pose as the legitimate subscriber requesting that the SIM information and service be redirected to a new phone that the attacker has. Sometimes the attacker just pays an inside person to transfer the SIM information. This sort of crime has been committed hundreds of thousands of times around the globe.The victim doesn\u2019t notice anything right away. Their phone just stops ringing and getting messages. During that time, the attacker is usually putting one of the victim\u2019s SMS\/MFA-protected accounts into recovery mode or simply requesting the normal SMS\/MFA-logon code, which they then use to logon to the user\u2019s SMS\/MFA-protected account. They then steal the user\u2019s identity or assets.Here are some examples of real-world SIM swap crimes:Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor SetupFlorida Man Arrested in SIM Swap ConspiracySmartphone Crypto Hack: The $24 Million AT&T SIM Swapping MistakeTell Your Dad to Give Us BitcoinSIM swap crimes are so rampant that the U.S. government, in NIST Special Publication 800-63-3, said not to use SMS-based MFA two years ago. That said, SMS-based MFA is the most popular second-factor authentication on the internet, and with most services you cannot opt out of it.Fake SIM recovery messagesSIM swap attacks take a little bit of attacker sophistication. Fake SIM recovery messages takes none. All the attacker has to know is your cell phone number (which they can find on the internet) and your username for any service that you rely on that uses SMS as a secondary logon recovery method (e.g., Gmail, O365, Facebook or Twitter). The fake SIM recovery attack relies on the fact that SMS has no authentication other than phone number.Here\u2019s how the attack goes:An attacker sends you a fake text message claiming to be from your legitimate service and tells you to expect an SMS code that you need to send back in reply to the message: Roger GrimesSample phishing text messageThe attacker then starts a logon attempt at your legitimate service, but then acts like they do not know the right password: Roger GrimesAttacker makes a logon attemptThen the attacker tells the service to send them an SMS \u201crecovery code\u201d: Roger Grimes Roger GrimesAttacker requests an SMS recovery codeThe service sends the legitimate recovery code to the legitimate user\u2019s phone: Roger GrimesLegitimate recovery code sent to user's phoneThe tricked user then sends that recovery code back to the attacker: Roger GrimesUser sends recovery code to attackerThe attacker then enters the code into the user\u2019s legitimate service\u2019s recovery code prompt, gets authenticated to the account, and then takes control of it.The reason this type of attack works is that the user has no way to distinguish between what SMS messages (or phone numbers) are or aren\u2019t from the legitimate vendor. If you look at the message sent by Google in step 4, is there any indication that the message really is from Google? That\u2019s the problem. SMS is not authenticated beyond a phone number, and unless you know the legitimate phone numbers, you\u2019re out of luck. Ironically, you can\u2019t Google Google\u2019s phone numbers used by its SMS recover service.Google (and many other providers like Microsoft) know that SMS is a weak authentication choice and offer additional choices for account recovery. However, in this case, the user is being socially engineered to accept an expected SMS message from the start, and the hacker can force the legitimate service to allow SMS recovery because it\u2019s still an available recovery option.How to defend against unauthenticated SMS attacksHow could a user avoid this last attack? Start with education. Let users know that the unauthenticated nature of SMS allows different types of hacking attacks. Users should train themselves to not allow unexpected SMS recovery methods (especially if other, better alternative methods exist). For the fake SIM recovery attack, users should know that when they get a SMS recovery code from the vendor, that code is usually typed into a browser logon session requesting that information and not in response to the SMS message.Regarding SIM swap attacks, realize you cannot trust any critical part of your life (e.g., banking or investing) to any SMS-based MFA method. Thousands of people have lost their life savings trusting SMS-based MFA methods. Second, use non-SMS-based MFA methods when you can, such as authentication applications (like Google Authenticator) or FIDO keys. They each have their own hacks, but it will take other, less popular, types of attacks.The ultimate answer is that the cell phone industry, in concert with the financial industry, needs to come to grips with how bad SMS-based MFA and recovery methods are and do something about it. They know it\u2019s a problem. There are better solutions, some of which have been widely implemented in some countries, but in general the poor authentication of SMS remains a widespread problem.Cell phone users beware.