SMS, t(e)xt messaging, or t(e)xting is a highly insecure way to send short text messages to or from a cell phone, also often used as a second factor for TFA, or worse, password reset (has resulted in account hijackings), and is misguidedly encouraged for such in iOS version 10+, Twitter, Facebook, and other software or services that nag you to associate an SMS phone number with your account on their systems.
MMS is used for sending media such as photos in otherwise "text" messages.
Insecure Account Recovery
- 2017-08-21 NYT: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency
- 2017-07-06 @justin: "Someone socially engineered AT&T to get a new SIM for my phone, signed into my Paypal (using 2FA) and withdrew a bunch of money." (was actually done by SMS password reset / account recovery on PayPal, see posts in tweet thread)
Insecure Second Auth Factor
- 2018-08-01 We had a security incident. Here's what you need to know.
- "Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA."
(need screenshots from the nag-ware screens from Apple (iOS 9+ nags you on first start, iOS 10+ nags you continuously in Settings app), Google, Facebook etc encouraging/defaulting you to add your cell phone number for auth / recovery reasons).
Also need screenshots from any services that when you add SMS as a second factor, they default to adding SMS as an account recovery method (1-factor), which actually makes your account *LESS SECURE* than if you would have never attempted to turn on 2FA in the first place.
On MacOS, you are prompted by the "Settings" app to associate a phone number that can receive SMS with your Apple ID to "verify your identity":
Twitter actually prompts you to add a phone number to your account (if you don't already have one on it) with SMS password reset *as a feature*! They are literally prompting you to make your account *less* secure, while claiming the opposite. WTF.
Safeguard your accountAdd your phone number now to help ensure that you can log in to Twitter, even if you lose your password
What the prompt really means:
Make your account vulnerableAdd your phone number now to help ensure that anyone pretending to be you to your phone company can log in to Twitter, even without your password