SMS
This article is a stub. You can help the IndieWeb wiki by expanding it.
SMS, t(e)xt messaging, or t(e)xting is a way of sending short messages over cell phones which is unfortunately often used and recommended by silos as a second factor and password resets, despite being highly insecure and a known enabler of account hijackings.
Criticism
Enables 2FA bypass
When SMS is added as a second factor to an account, it typically also enables account reset via SMS, ironically replacing one single-factor (email/pw) with another, enabling 2FA bypass on the account.
- 2017-07-06 @justin: "Someone socially engineered AT&T to get a new SIM for my phone, signed into my Paypal (using 2FA) and withdrew a bunch of money." (was actually done by SMS password reset / account recovery on PayPal, see posts in tweet thread)
- 2017-08-21 NYT: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency
Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.
- 2018-07-17 Motherboard: The SIM Hijackers
Emphasis added.Meet the hackers who flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victims' weakness? Phone numbers.
[…]
… logged into her email and noticed someone was resetting the passwords on many of her accounts.
[…]
By hijacking Rachel’s phone number, the hackers were able to seize not only Rachel’s Instagram, but her Amazon, Ebay, Paypal, Netflix, and Hulu accounts too. None of the security measures Rachel took to secure some of those accounts, including two-factor authentication, mattered once the hackers took control of her phone number.
[…]
“With someone's phone number,” a hacker who does SIM swapping told me, “you can get into every account they own within minutes and they can't do anything about it.”
Insecure Account Recovery
Since SMS text messages are sent in the clear, even legitimate use of SMS to reset an account sends the necessary codes in the clear (which can be intercepted), and thus is an insecure method for account recovery.
Insecure Second Auth Factor
Even if a service does not allow account reset/recovery via SMS, it’s still insecure as a second factor.
- 2018-08-01 Reddit official announcement: We had a security incident. Here's what you need to know.
- "Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA."
Silo Examples
(need screenshots from the nag-ware screens from Apple (iOS 9+ nags you on first start, iOS 10+ nags you continuously in Settings app), Google, Facebook etc encouraging/defaulting you to add your cell phone number for auth / recovery reasons).
Also need screenshots from any services that when you add SMS as a second factor, they default to adding SMS as an account recovery method (1-factor), which actually makes your account *LESS SECURE* than if you would have never attempted to turn on 2FA in the first place.
Amazon
Amazon is a review, rating, and comment silo in addition to being a predominant e-commerce site.
Amazon.com, upon signing in with email and password, prompts you to enter a mobile number for “account security”
Apple ID
Apple ID is a silo identity service that is now (all but?) required to use any iOS or MacOS device.
On MacOS, you are prompted by the "Settings" app to associate a phone number that can receive SMS with your Apple ID to "verify your identity":
Instagram only allows SMS based MFA and then enables SMS recovery as well thus making your account MORE vulnerable (e.g. to SIM-jacking as documented) than if you had never turned on their MFA.
- 2018-07-17 Motherboard: The SIM Hijackers
Certain services, including Instagram, require that users provide a phone number when setting up two-factor, a stipulation with the unintended effect of giving hackers another method of getting into an account. That’s because if hackers take over a target’s number, they can skirt two-factor and seize their Instagram account without even knowing the account’s password.
Twitter actually prompts you to add a phone number to your account (if you don't already have one on it) with SMS password reset *as a feature*! They are literally prompting you to make your account *less* secure, while claiming the opposite. WTF.
Text of prompt reads (emphasis added):
Safeguard your account
Add your phone number now to help ensure that you can log in to Twitter, even if you lose your password
What the prompt really means:
Make your account vulnerable
Add your phone number now to help ensure that anyone pretending to be you to your phone company can log in to Twitter, even without your password
Benefits
When used for it's intended purpose - for notifications that doesn't require security -, SMS can be used as an alternative to push notifications in case there is no data connectivity due to it's extremely compact nature. Services like PagerDuty utilize SMS alerting for monitoring.
See Also
- messaging
- phone number
- https://www.contextis.com/blog/binary-sms-the-old-backdoor-to-your-new-thing
- 2018-10-16 TechCrunch: A leaky database of SMS text messages exposed password resets and two-factor codes
- 2016-07-25 TechCrunch: NIST declares the age of SMS-based 2-factor authentication over
- https://www.gimletmedia.com/reply-all/130-lizard#episode-player see transcript there and incorporate, as well as the Show Notes for more articles about SIMjacking etc
- ^^^
Like the basic problem with this whole system is we treat a phone number–the thing we give every single person–like it’s a really good password.
…
The tech companies are like, “Your password has to have seven upper and lowercase things and be completely unique and blah blah blah, but if you forget it, we’ll just use your phone number.”
- https://twitter.com/hillbrad/status/1004040328150540288
- "Passwords and SMS 2FA still suck. There is huge momentum to move past them, at last, and at this point Apple is the biggest thing standing in the way. I hope that will change by the end of WWDC." @hillbrad June 5, 2018
- more on that 2FA recovery criticism: https://twitter.com/cooncesean/status/1130493867734605824
- "My personal identity was hacked last week. The attacker was able to steal $100k+ in a sweep of my Coinbase account. I'm equal parts embarrassed, hurt, and deeply remorseful.
In an effort to raise awareness about the attack, I wrote about it here: https://bit.ly/2VN5bZU" @cooncesean May 20, 2019
- "My personal identity was hacked last week. The attacker was able to steal $100k+ in a sweep of my Coinbase account. I'm equal parts embarrassed, hurt, and deeply remorseful.
- more 2FA recovery criticism: >$100k lost by a crypto company engineering manager: https://twitter.com/fremycompany/status/1131139678416056321
- "The best thing with cryptomoney is that you can choose! Either you make sure nobody will be able to recover your coins when you die, or you let them exposed to hackers stealing them from you.
Maybe we should rename "Bitcoins" into "Robin Hood Money":
make the rich poor again." @FremyCompany May 22, 2019
- "The best thing with cryptomoney is that you can choose! Either you make sure nobody will be able to recover your coins when you die, or you let them exposed to hackers stealing them from you.
- Moar 2FA criticism: 2019-05-10 Gizmodo: PSA: SMS 2FA Is Weak AF
… the websites themselves should be doing better on security. For important accounts, it probably shouldn’t even be a choice to use text messages as two-factor authentication.
- 2FA criticism: 2016-06-26 WIRED: So Hey You Should Stop Using Texts for Two-Factor Authentication
"If there’s an attacker, they get all your text messages. it’s completely trust-based...It’s so simple it’s almost embarrassing to call it a hack."
- https://www.zdnet.com/article/sim-swap-horror-story-ive-lost-decades-of-data-and-google-wont-lift-a-finger/
- 2FA Criticism: 2019-06-17 ZDNet: SIM swap horror story: I've lost decades of data and Google won't lift a finger
First they hijacked my T-Mobile service, then they stole my Google and Twitter accounts and charged my bank with a $25,000 Bitcoin purchase.
- 2019-06-03 ZDNet: Wave of SIM swapping attacks hit US cryptocurrency users
Numerous members of the cryptocurrency community have been hit by SIM swapping attacks over the past week, ZDNet has learned, in what appears to be a coordinated wave of attacks.
- 2019-06-18 yet another SMS 2FA account recovery hack https://twitter.com/dtrinh/status/1141213216036384768 + https://twitter.com/dtrinh/status/1141231970422145026 + https://twitter.com/dtrinh/status/1141365086071603200 + https://twitter.com/mjmalone/status/1141401600822394880 + https://twitter.com/dtrinh/status/1141385382052765696 + https://twitter.com/dtrinh/status/1141385382052765696 + https://twitter.com/dtrinh/status/1141430995792457728 + https://twitter.com/dtrinh/status/1141468999651229696
- "Whoa. I think my Apple ID was hacked — my phone lost SIM connection, asked me to login with Apple ID, then my phone reset. Now my computer won't let me auth either. Lazy web: what's the best thing to do?" @dtrinh June 19, 2019
- AppleID SMS 2FA still requires SMS recovery and thus forces SIM swap vulnerability on users: https://twitter.com/sobbybutter/status/1141398679171022850
- "Ugh, hopefully one day Apple will follow Google's lead and allow the removal of SMS 2FA for iCloud in favor of TOTP/U2F." @sobbybutter June 19, 2019
- Why SMS 2FA is a lie: in practice they make SMS a *one* (not two) factor auth by itself via SMS account recovery (e.g. AppleID, Twitter, FB, etc.) and this violates point two here: https://twitter.com/cookedj/status/1143587203047731203
- "One of the 5 things CISOs must know from @SarahKSquire at #identiverse #iammaestro" @cookedj June 25, 2019
- 2019-08-30 Twitter founder/creator Jack’s account was compromised likely via SMS, and started posting via an SMS based client https://twitter.com/bborrman/status/1167528193705697280 (thread)
- "Yes, Jack's account was compromised. We're working on it and investigating what happened." @bborrman August 30, 2019
- ^^^ https://twitter.com/mrejfox/status/1167528296009162752
- "Someone found out the number Jack Dorsey linked to twitter for SMS and used that to post. “Cloudhopper” is how SMS posts show up because Twitter doesn’t give a shit about anything.
Another great reason to treat your personal phone number like your password and use Google Voice." @mrejfox August 30, 2019
- "Someone found out the number Jack Dorsey linked to twitter for SMS and used that to post. “Cloudhopper” is how SMS posts show up because Twitter doesn’t give a shit about anything.
- ^^^ more on Cloudhopper https://twitter.com/Psythor/status/1167528597671878657
- ".@jack’s hacked tweets are being posted from an app called Cloudhopper, which is apparently an app Twitter acquired previously that had something to do with SMS. So his account appears not breached - but rather Jack’s account is still hooked up to an old service that got hacked." @Psythor August 30, 2019
- ^^^ screenshotted tweet: https://twitter.com/jack/status/1090012553827078144
- "Cloud hopper?" @jack January 28, 2019
- Enables phishing by calling your phone number, e.g. when used as second factor for your bank: https://twitter.com/digitallawyer/status/1181348691623337984 (mid thread)
- "3) "We've sent a verification pin to your phone."
~ Gets verification pin text from bank's regular number ~
Me: <reads out the pin>" @DigitalLawyer October 7, 2019
- "3) "We've sent a verification pin to your phone."
- sms: links https://www.ietf.org/rfc/rfc5724.txt
- Criticism: thorough thread about SIM-swap vulnerability details across phone carriers: https://twitter.com/random_walker/status/1215689116253290501
- ""SIM swap" attacks have been in the news for years. They’ve enabled serious financial crimes and even a hack of the Twitter CEO's account. We spent 6 months researching how vulnerable wireless accounts are to these attacks. Our draft study is out today. https://www.issms2fasecure.com/" @random_walker January 10, 2020
- ^^^ in particular table of carriers and information failures: https://twitter.com/random_walker/status/1215689761941336065
- "Unfortunately, all five carriers used authentication methods that are considered insecure in the computer security community. Taken together, these findings help explain why SIM swaps have been such a persistent problem. More details in our paper: https://www.issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf" @random_walker January 10, 2020
- ^^^ SMS recovery = zero-factor auth, on 17 websites, some of which "have billions of users each" (guess which silos) https://twitter.com/random_walker/status/1215690582368100352 and https://twitter.com/random_walker/status/1215690673564868608
- "We have a number of concerning findings but the most problematic is that there are 17 websites that simultaneously allow SMS both for password recovery and as the second factor for authentication. Given the ease of SIM swaps, that’s zero-factor auth, not two-factor auth." @random_walker January 10, 2020
- Criticism: vulnerable to txt scams: 2020-01-23 CNN: A new text message scam is disguising itself as a FedEx notification
- Criticism: use for 2FA makes your account less secure on Yahoo and AOL: https://palant.de/2020/03/09/yahoo-and-aol-where-two-factor-authentication-makes-your-account-less-secure/
- https://sec.okta.com/articles/2020/05/sms-two-factor-authentication-worse-just-good-password
- 2020-12-17 ArsTechnica: “Evil mobile emulator farms” used to steal millions from US and EU banks
It would be nice if banks provided multi factor authentication through a medium other than SMS, but few financial institutions do.
- 2020-12-15 IBM Trusteer Exposes Massive Fraud Operation Facilitated by Evil Mobile Emulator Farms
This mobile fraud operation managed to automate the process of accessing accounts, initiating a transaction, receiving and stealing a second factor (SMS in this case) and in many cases using those codes to complete illicit transactions.
- "SMS identity is not a completely unworkable solution, but it's definitely not the future we should be pushing for, when regular account systems are free, more accessible, and much more stable" https://arstechnica.com/gadgets/2021/03/the-new-google-pay-repeats-all-the-same-mistakes-of-google-allo/
- https://twitter.com/josephfcox/status/1371509983842598918?s=21
- "New: this is truly insane. For $16, a hacker rerouted my texts; received messages meant for me; broke into my online accounts. This isn't SIM jacking or SS7. You just pay a company in this unregulated wild west and get control of text routing in minutes https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber" @josephfcox March 15, 2021
- your number can be invisibly rerouted by random telco companies https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber
- Criticism: Welcome to "smishing" SMS-phishing: 2021-05-07 NBC News: Why cybercriminals looking to steal personal info are using text messages as bait / With more people using their smartphones to make payments and many banks and utilities verifying users' accounts through text messages, the fraud floodgates have opened.
- Criticism: 2022-04-02 CNBC: Scammers are texting you from your own number now — here's what to do if that happens
- Criticism: 2019-01-31 Vox: Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts / Motherboard has identified a specific UK bank that has fallen victim to so-called SS7 attacks, and sources say the issue is wider than previously reported.
- ^
The fundamental issue with the SS7 network is that it does not authenticate who sent a request. So if someone gains access to the network—a government agency, a surveillance company, or a criminal—SS7 will treat their commands to reroute text messages or calls just as legitimately as anyone else’s.
- SMS as 2FA / account recovery or setup vuln, again: 2022-09-07 BBC News: How is a thief taking thousands from London gym-goers?
That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device. Once accepted, they have control of the bank account.
- ^ Another defense: do not give your bank a cell number in your profile (or any number that can accept SMS), so they can't involuntarily sign you up for the 2FA SMS / account recovery or setup vuln.
- Twitter SMS second factor failing and vulnerable to shut-off: 2022-11-17 Failures in Twitter’s Two-Factor Authentication System
… texting “STOP” to the Twitter verification service results in the service turning off SMS two-factor … allows a hacker to spoof the registered phone number to disable two-factor authentication. That potentially exposes accounts to a password reset attack or account takeover through password stuffing.