{"id":7813,"date":"2022-11-02T13:38:58","date_gmt":"2022-11-02T21:38:58","guid":{"rendered":"https:\/\/cheapsslsecurity.com\/blog\/?p=7813"},"modified":"2022-11-02T13:39:56","modified_gmt":"2022-11-02T21:39:56","slug":"sms-security-is-it-really-secure","status":"publish","type":"post","link":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/","title":{"rendered":"SMS Security: Is It Really Secure?"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">In 2H 2021 <a href=\"https:\/\/transparency.twitter.com\/en\/reports\/account-security.html#2021-jul-dec\">74<\/a>.<a href=\"https:\/\/transparency.twitter.com\/en\/reports\/account-security.html#2021-jul-dec\">4% of Twitter accounts<\/a> had SMS-based two-factor authentication enabled. But is SMS security as effective as it is popular? Is it really a hassle-free solution for security-conscious organizations in a world of bad passwords? Let\u2019s find it out!<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">According to the <a href=\"https:\/\/www.forgerock.com\/resources\/whitepaper\/2022-forgerock-consumer-identity-breach-report\">ForgeRock 2022 Breach Report<\/a>, 2021 ended with two billion records containing credentials being reported as compromised. That&#8217;s 35% more than the number reported in 2020. As credential compromises continue to grow, companies&#8217; reliance on SMS security also has been thrown into question.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Since the internet was created, protecting sensitive data has always been a challenge. With the evolution of technology, many organizations started combining the internet and telephony to add a second layer of security to their application authentication mechanisms. How? By tapping into the speed and convenience of the short messaging service (SMS).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That sounds fantastic, doesn&#8217;t it? But is SMS secure enough for this and other similar purposes? Should businesses blindly rely on SMS text messages for authentication? Are there any risks involved in using SMS texts?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s find it out in the first of these two articles series on SMS security. We&#8217;ll answer all these questions and dig deeper into one of the most popular and, somehow controversial, authentication factors.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Is an SMS Security Code and How Is It Used in Cybersecurity?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cYour verification code is 123456\u201d or \u201cPayPal: Your security code is 123456.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These are two typical examples of SMS security codes you may receive via SMS text message on your phone. In fact, I&#8217;m sure that everyone who doesn&#8217;t live in a grotto and owns a mobile device has seen these kinds of text messages at least once.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The code included in the message is an automatically generated <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc1938\">one-time password<\/a> (OTP). It&#8217;s sent via SMS to the user&#8217;s associated phone number and is valid for a single login session or transaction. What are these SMS security codes used for in cybersecurity?<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>\u201cSecure\u201d SMS Authentication<\/strong>. It&#8217;s used in two-factor or multi-factor authentication (more on this later in this article) to validate a user\u2019s identity before granting access to an application. How does it work? After the user has entered his name and password, they receive a \u201csecure\u201d SMS text message with a four or six-digit code. All they have to do is type the security code on the login page <em>et voila\u2019<\/em> \u2014 access to the application is granted.&nbsp;&nbsp;<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"443\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/secure-sms-authentication-1024x443.png\" alt=\"A basic diagram showing how &quot;secure&quot; SMS authentication works overall\" class=\"wp-image-7820\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/secure-sms-authentication-1024x443.png 1024w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/secure-sms-authentication-300x130.png 300w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/secure-sms-authentication.png 1136w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption><em>Image caption: The graphic shows how secure SMS works authentication works.<\/em><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>\u201cSecure\u201d SMS Password Reset<\/strong>. Did you know that <a href=\"https:\/\/bitwarden.com\/resources\/world-password-day\/\">21% of consumers<\/a> surveyed by Bitwarden reset their password once a day or several times a week? Wow! And I thought I was bad! I bet many of them are using \u201csecure\u201d SMS as a password recovery method. Why? It\u2019s super fast; you just have to enter your email address on the account recovery page. Then, just like with secure SMS authentication, a text message with a one-time verification code is sent to the linked telephone number. Once you enter the code on the page, you can create a new password. Easy and painless, right?<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"969\" height=\"448\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/password-reset-secure-sms.png\" alt=\"A basic diagram showing how &quot;secure&quot; SMS messages can be used to reset passwords\" class=\"wp-image-7819\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/password-reset-secure-sms.png 969w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/password-reset-secure-sms-300x139.png 300w\" sizes=\"(max-width: 969px) 100vw, 969px\" \/><figcaption><em>Image caption: This is how password reset works when you choose to use the secure SMS option.<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">All this sounds really great, right? So-called secure SMS is fast, easy to use, and accessible to anyone with a mobile device (i.e., <a href=\"https:\/\/www.gsma.com\/mobileeconomy\/wp-content\/uploads\/2021\/07\/GSMA_MobileEconomy2021_3.pdf\">67% of the global population<\/a>). But is it <em>really<\/em> secure? Umm&#8230;I don&#8217;t know you, but to me, it sounds all too good to be true. Let&#8217;s start digging deeper and look beyond the facade. Because, as Prince sang, &#8220;All that glitters ain&#8217;t gold&#8221; (Prince&#8217;s \u201cGold\u201d song).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5 Reasons Why \u201cSecure\u201d SMS Can Put Your Organization at Risk<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s do a little exercise. Grab your phone and check the latest text messages you received. How would you feel if they were shared with the whole world? I asked the same question to myself and quickly realized that I wouldn\u2019t have been happy at all. Not because I have something to hide, but because I noticed that the majority of text messages were secure SMS related to some sort of authentication or transaction.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now, this needs some serious thinking. What if a malicious actor could intercept or read those secure SMS messages? It would be a disaster. They could get access to many important things in your life: bank accounts, email accounts, sensitive applications \u2014 literally anything you use SMS security messages to authenticate for access. But could this scenario happen if you always keep your mobile device on your person? Yes, it could, and doing so is easier than you may think for several key reasons:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. SMS Aren\u2019t Encrypted (and, Therefore, Can Be Intercepted)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">When a user enters their username and password on a website or application, the information is usually sent through the <a href=\"https:\/\/cheapsslsecurity.com\/blog\/your-guide-to-https-port-443-and-why-its-critical-to-security\/\">secure HTTPS port 443<\/a>. With this protocol, the transmitted data is encrypted using <a href=\"https:\/\/cheapsslsecurity.com\/blog\/what-is-an-ssl-certificate-why-do-you-need-it\/\">SSL\/TLS<\/a> (secure sockets layer\/transport layer security) secure protocol. (This requires the use of an SSL\/TL certificate being installed on the website\u2019s server.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">What does it mean? Before being sent to the server, the username and password are transformed into gibberish alphanumeric strings accessible only to authorized parties.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Is it the same for text messages? Not really. SMS are sent in clear text. This means that virtually anyone can read all of them, including authentication and password reset codes. Your mobile provider, the government, and, of course, cybercriminals. Unlike SSL\/TLS, SMS is based on an old protocol, the signaling system 7 (SS7) that has been exploited for years. For example, in 2019, attackers transferred money to their bank accounts by <a href=\"https:\/\/www.vice.com\/en\/article\/mbzvxv\/criminals-hackers-ss7-uk-banks-metro-bank\">rerouting intercepted <\/a><a href=\"https:\/\/www.vice.com\/en\/article\/mbzvxv\/criminals-hackers-ss7-uk-banks-metro-bank\"><\/a><a href=\"https:\/\/www.vice.com\/en\/article\/mbzvxv\/criminals-hackers-ss7-uk-banks-metro-bank\"><\/a><a href=\"https:\/\/www.vice.com\/en\/article\/mbzvxv\/criminals-hackers-ss7-uk-banks-metro-bank\">SMS authorization code<\/a>s to their mobile devices. And this is just one example; the dark web is full of <a href=\"https:\/\/sosintel.co.uk\/an-investigation-into-ss7-exploitation-services-on-the-dark-web\/\">cheap SS7 exploiting kits<\/a> that are ready to help attackers snoop on verification codes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Want to learn more about SS7 vulnerabilities? Check out the <a href=\"https:\/\/www.itu.int\/en\/ITU-T\/extcoop\/figisymposium\/Documents\/ITU_SIT_WG_Technical%20report%20on%20the%20SS7%20vulnerabilities%20and%20their%20impact%20on%20DFS%20transactions_f.pdf\">Security I<\/a><a href=\"https:\/\/www.itu.int\/en\/ITU-T\/extcoop\/figisymposium\/Documents\/ITU_SIT_WG_Technical%20report%20on%20the%20SS7%20vulnerabilities%20and%20their%20impact%20on%20DFS%20transactions_f.pdf\"><\/a><a href=\"https:\/\/www.itu.int\/en\/ITU-T\/extcoop\/figisymposium\/Documents\/ITU_SIT_WG_Technical%20report%20on%20the%20SS7%20vulnerabilities%20and%20their%20impact%20on%20DFS%20transactions_f.pdf\">nfrastructure and <\/a><a href=\"https:\/\/www.itu.int\/en\/ITU-T\/extcoop\/figisymposium\/Documents\/ITU_SIT_WG_Technical%20report%20on%20the%20SS7%20vulnerabilities%20and%20their%20impact%20on%20DFS%20transactions_f.pdf\"><\/a><a href=\"https:\/\/www.itu.int\/en\/ITU-T\/extcoop\/figisymposium\/Documents\/ITU_SIT_WG_Technical%20report%20on%20the%20SS7%20vulnerabilities%20and%20their%20impact%20on%20DFS%20transactions_f.pdf\">T<\/a>rust W<a href=\"https:\/\/www.itu.int\/en\/ITU-T\/extcoop\/figisymposium\/Documents\/ITU_SIT_WG_Technical%20report%20on%20the%20SS7%20vulnerabilities%20and%20their%20impact%20on%20DFS%20transactions_f.pdf\"><\/a><a href=\"https:\/\/www.itu.int\/en\/ITU-T\/extcoop\/figisymposium\/Documents\/ITU_SIT_WG_Technical%20report%20on%20the%20SS7%20vulnerabilities%20and%20their%20impact%20on%20DFS%20transactions_f.pdf\">orking <\/a>G<a href=\"https:\/\/www.itu.int\/en\/ITU-T\/extcoop\/figisymposium\/Documents\/ITU_SIT_WG_Technical%20report%20on%20the%20SS7%20vulnerabilities%20and%20their%20impact%20on%20DFS%20transactions_f.pdf\"><\/a><a href=\"https:\/\/www.itu.int\/en\/ITU-T\/extcoop\/figisymposium\/Documents\/ITU_SIT_WG_Technical%20report%20on%20the%20SS7%20vulnerabilities%20and%20their%20impact%20on%20DFS%20transactions_f.pdf\">roup<\/a>\u2019s report.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1023\" height=\"567\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/unencrypted-sms-authentication.png\" alt=\"A diagram showing how insecure SMS is for security and authentication\" class=\"wp-image-7818\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/unencrypted-sms-authentication.png 1023w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/unencrypted-sms-authentication-300x166.png 300w\" sizes=\"(max-width: 1023px) 100vw, 1023px\" \/><figcaption><em>Image caption: This is how SMS can jeopardize the security of your secure SMS-based authentication.<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">2. SMS Can Be Phished and Spoofed<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">One day, I received an SMS stating more or less the following: \u201cYour package is waiting for delivery. Please review and update your shipping information in the link below.\u201d As I wasn\u2019t waiting for a parcel, I got suspicious. And rightly so.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As paranoid as I am (well, I&#8217;m a cybersecurity expert), I have only a basic phone (i.e., a \u201cdumb\u201d phone) that doesn\u2019t have internet access. Therefore, I couldn&#8217;t click on the dodgy link contained in the message even if I wanted to. Out of curiosity, though, I opened my browser on the Linux laptop I use for security testing and typed the link. (By the way, don\u2019t do this on a Windows machine or on a device you\u2019re using for work or personal activities. Suspicious links often contain malware that could infect your device.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Going back to my case, of course, the link took me to a bad copy of a well-known delivery company\u2019s website. The page was inviting me to fill in my whole address, including my phone number and other sensitive data. On top of that, it also requested me to pay a small fee for some baffling customs duties by entering my credit card details. Obviously, I ignored the whole thing and deleted the phishy SMS.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There we go! This is a typical example of how attackers can simply send you a text message disguised as a trusted organization and trick you to follow dodgy links and share sensitive information. Therefore, next time, think before you click!&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"874\" height=\"623\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/abcnews-phishing-sms-text-message-example.png\" alt=\"A screenshot of an example phishing message that includes a malicious link. Image source: ABC news.\" class=\"wp-image-7816\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/abcnews-phishing-sms-text-message-example.png 874w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/abcnews-phishing-sms-text-message-example-300x214.png 300w\" sizes=\"(max-width: 874px) 100vw, 874px\" \/><figcaption>Image source: <a href=\"https:\/\/abcnews.go.com\/Technology\/fraudulent-text-message-claims-fedex-package-information\/story?id=68450946\">ABC News<\/a>. The image shows another example of a phishing text message.<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">3. Subscriber Identity Module (SIM) Cards Are Vulnerable to SIM Swapping Attacks<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If you lose your phone or want to switch providers, it\u2019s great that you can keep the same old phone number and get everything sorted with a single phone call. But what if a scammer contacts your carrier posing as you (i.e., carried out a <a href=\"https:\/\/cheapsslsecurity.com\/blog\/social-engineering-attacks-and-prevention-methods\/\">social engineering attack<\/a>)? They could tell the customer representative they lost their phone to get the rep to issue a new SIM card and deactivate your legitimate one. Yup, this happens more often than you think. That\u2019s why the <a href=\"https:\/\/www.fcc.gov\/port-out-fraud-targets-your-private-accounts\">Federal Communication Commission<\/a> (FCC) and the <a href=\"https:\/\/www.bbb.org\/article\/news-releases\/17019-bbb-warns-about-cell-phone-porting-scams\">Better Business Bureau<\/a> (BBB) published warnings and tips for citizens.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If the scam is successful, all SMS and calls are rerouted to the new SIM (owned by the cybercriminal). He will then be able to trigger and use secure SMS authentication and password resets to access your bank accounts, emails, and applications. Everything. This type of situation happened to Jared Goetz, a victim of SIM card swapping. Goetz\u2019s credit card was fraudulently charged $39,000, his SIM was deactivated, and his email address was hacked. Luckily for him, he managed to put an end to the whole scam by talking to the hacker in <a href=\"https:\/\/www.vice.com\/en\/article\/5984zn\/listen-to-sim-jacking-account-ransom-instagram-email-tmobile\">an incredible phone call<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. SIM Cards Can be Hacked<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Yup. You read it right. Those tiny chips called SIM cards can be hacked, just like a device or a piece of software. How?<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Spoofing cell phone tower signals<\/strong>. In July 2010, a researcher managed to build a phony low-cost tower antenna for only $1,500. The homemade device enabled him to <a href=\"https:\/\/www.wired.com\/2010\/07\/intercepting-cell-phone-calls\/\">intercept secure SMS and calls<\/a> by emitting a signal stronger than the legit GSM towers that were available in the area. All this with just a laptop, some open-source software, and a device. Can you imagine what professional hackers can do now, 12 years later?&nbsp;<\/li><li><strong>Exploiting vulnerabilities like SIMJacker<\/strong>. Discovered in 2019 by <a href=\"https:\/\/blog.adaptivemobile.com\/simjacker-next-generation-spying-over-mobile\">Adaptive Mobile Security\u2019s researchers<\/a>, SIMJacker allows the attacker to send out SMS messages, including several SIM application toolkit (STK) spyware-like codes to the designated victims. The attack exploits the <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2019-16256\">S@tBrowser<\/a>, a basic browser installed on many SIM cards. Once the target opens the SMS text, the cybercriminal can use the codes to track the victim&#8217;s secure SMS messages, calls, and physical location. Do you want to know more about this vulnerability? Don&#8217;t miss to check out the plethora of interesting information and videos published on <a href=\"https:\/\/simjacker.com\/\">Adaptive Mobile Security&#8217;s SIMJacker website<\/a>.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1025\" height=\"562\" src=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/simjacker-sms-card-security-issues.png\" alt=\"A screenshot of how SMSJacker can be used to carry out a SIM card attack via SMS text mesasges\" class=\"wp-image-7817\" srcset=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/simjacker-sms-card-security-issues.png 1025w, https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/simjacker-sms-card-security-issues-300x164.png 300w\" sizes=\"(max-width: 1025px) 100vw, 1025px\" \/><figcaption><em>Image caption: The graphic shows how SIMJacker vulnerability can be exploited to hack a SIM card with a simple SMS.<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">5. Devices Can Be Stolen or Lost<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In 2021, <a href=\"https:\/\/www.verizon.com\/business\/resources\/executivebriefs\/2022-mobile-security-index-report-executive-summary.pdf\">45% of surveyed organizations<\/a> suffered some downtime or data loss due to a mobile device becoming compromised in some way. For 73% of them, the incident severely impacted their business. According to Asurion, in the same year, <a href=\"https:\/\/www.asurion.com\/connect\/tech-tips\/what-to-do-when-your-phone-is-lost-or-stolen\/\">8.7 million phones<\/a> were lost or stolen.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This happened to me once as well. One evening, I was sitting in a bar with friends and I mindlessly left my mobile phone in my bag, which was hanging on my chair. I left it unattended for less than five minutes to greet one of my friends and, in a snap of a finger, the phone was gone. And what makes this matter worse is that it was my work phone and I was on call that night. Dang! I ended up spending the rest of the evening at the nearest police station to report the theft.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On the bright side, at least it wasn&#8217;t a smartphone. Imagine what the thief could have done if the device was logged into banking apps, my company&#8217;s intranet, and applications\u2026&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, to go back to our very first question: \u201cIs SMS really secure?\u201d The answer is no. It\u2019s so unsecure that even the National Institute of Standards and Technology (NIST), in an initial draft of its special publication (SP <a href=\"https:\/\/pages.nist.gov\/800-63-3\/sp800-63b.html\">800-63-3<\/a>), discouraged <a href=\"https:\/\/www.nist.gov\/blogs\/cybersecurity-insights\/questionsand-buzz-surrounding-draft-nist-special-publication-800-63-3\">the use of SMS as an out-of-band second authentication factor<\/a> for federal agencies. (They later removed the recommendation.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As <a href=\"https:\/\/krebsonsecurity.com\/about\/\">Brian Krebs<\/a>, a computer security expert, said in one of his articles, &#8220;<em>Phone numbers were never designed to be identity documents, but that\u2019s effectively what they\u2019ve become. It\u2019s time we stopped letting everyone treat them that way.\u201d&nbsp;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Want to follow Brian\u2019s advice and give it a try? How? This is what we\u2019re going to quickly discover next.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Can I Use Instead of Secure SMS Codes?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s start by saying that having an SMS security solution for your authentication mechanism is better than only relying on usernames and passwords. However, if you as an organization want to really keep your users and sensitive data secure, you should go beyond &#8220;secure&#8221; SMS authentication and consider switching to:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Push authentication<\/strong>. When a user enters his username and password and uses an authentication app like <a href=\"https:\/\/www.okta.com\/integrations\/okta-verify\/\">Okta Verify<\/a> or <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.google.android.apps.authenticator2&amp;hl=en&amp;gl=US\">Google Authenticator<\/a>, the user will receive a push notification on their mobile device prompting them to approve or decline the login request. Attackers won&#8217;t be able to intercept the notification as it doesn&#8217;t rely on a messaging service. This is an easy, fast, and secure way to authenticate.<\/li><li><strong>Fast Identity Online Universal Second Factor (FIDO U2F) protocol<\/strong>. Created by the <a href=\"https:\/\/fidoalliance.org\/overview\/\">FIDO Alliance<\/a>, this <a href=\"https:\/\/fidoalliance.org\/fido2\/\">protocol uses cryptography<\/a> as an authentication factor. It has already been implemented by several organizations like GitHub, Facebook, Stripe, and Dropbox.<\/li><li><strong>Public key infrastructure (PKI) based authentication<\/strong>. Many organizations are also going passwordless by issuing <a href=\"https:\/\/cheapsslsecurity.com\/blog\/understanding-the-role-of-certificate-authorities-in-pki\/\">PKI digital certificates<\/a> to employees, a method that NIST recommends for federal agencies. This tried-and-true method is handy, more secure than traditional SMS-based authentication, and eliminates the need to remember or type in complex passwords. You just need your PKI certificate installed on your device or a smart card (or similar token) and a PIN (when using the token).<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">See? There is life after unsecure SMS! Intrigued by the solutions we just mentioned? Don&#8217;t miss our next article for a deep-dive into the latest authentication apps and PKI-based authentication solutions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Final Thoughts on SMS Security<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">At the end of the day, SMS wasn&#8217;t developed with cybersecurity in mind. Yes, including secure SMS in your two-factor authentication mechanism is better than using only the traditional username and password. Nevertheless, SMS authentication isn&#8217;t a good option if your goal is to keep customers&#8217; data secure and protect your organization from data breaches.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SMS phishing, SMS message interceptions, SIM hacking, and lost devices \u2014 there are enough good reasons and flaws to make you consider an alternative or, at least, be extra careful when using it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Thinking to ditch SMS for a more secure authentication factor? Stay tuned. In our next article, we&#8217;ll explore in depth the best top-notch alternatives to SMS-based two-factor authentication. Don\u2019t miss it!&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In 2H 2021 74.4% of Twitter accounts had SMS-based two-factor authentication enabled. But is SMS security as effective as it is popular? Is it really a hassle-free solution for security-conscious organizations in a world of bad passwords? Let\u2019s find it out! According to the ForgeRock 2022 Breach Report, 2021 ended with two billion records containing<\/p>\n","protected":false},"author":8,"featured_media":7821,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[417],"tags":[421,764,763],"class_list":["post-7813","post","type-post","status-publish","format-standard","has-post-thumbnail","category-cybersecurity","tag-featured","tag-secure-sms","tag-sms-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>SMS Security: Is It Really Secure?<\/title>\n<meta name=\"description\" content=\"SMS security isn&#039;t as secure as some companies want you to believe. Let&#039;s over the benefits and risks of using this approach to authentication\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SMS Security: Is It Really Secure?\" \/>\n<meta property=\"og:description\" content=\"SMS security isn&#039;t as secure as some companies want you to believe. Let&#039;s over the benefits and risks of using this approach to authentication\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/\" \/>\n<meta property=\"og:site_name\" content=\"Savvy Security\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cheapsslsecurities\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-02T21:38:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-02T21:39:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/sms-security-feature.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"1000\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Savvy Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@sslsecurity\" \/>\n<meta name=\"twitter:site\" content=\"@sslsecurity\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Savvy Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/sms-security-is-it-really-secure\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/sms-security-is-it-really-secure\\\/\"},\"author\":{\"name\":\"Savvy Security\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/#\\\/schema\\\/person\\\/1ce9a5743b7f25b5be6e4972864b4493\"},\"headline\":\"SMS Security: Is It Really Secure?\",\"datePublished\":\"2022-11-02T21:38:58+00:00\",\"dateModified\":\"2022-11-02T21:39:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/sms-security-is-it-really-secure\\\/\"},\"wordCount\":2435,\"image\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/sms-security-is-it-really-secure\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/11\\\/sms-security-feature.jpg\",\"keywords\":[\"featured\",\"Secure SMS\",\"SMS Security\"],\"articleSection\":[\"SMB Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/sms-security-is-it-really-secure\\\/\",\"url\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/sms-security-is-it-really-secure\\\/\",\"name\":\"SMS Security: Is It Really Secure?\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/sms-security-is-it-really-secure\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/sms-security-is-it-really-secure\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/11\\\/sms-security-feature.jpg\",\"datePublished\":\"2022-11-02T21:38:58+00:00\",\"dateModified\":\"2022-11-02T21:39:56+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/#\\\/schema\\\/person\\\/1ce9a5743b7f25b5be6e4972864b4493\"},\"description\":\"SMS security isn't as secure as some companies want you to believe. Let's over the benefits and risks of using this approach to authentication\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/sms-security-is-it-really-secure\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/sms-security-is-it-really-secure\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/sms-security-is-it-really-secure\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/11\\\/sms-security-feature.jpg\",\"contentUrl\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/11\\\/sms-security-feature.jpg\",\"width\":1600,\"height\":1000},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/sms-security-is-it-really-secure\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SMS Security: Is It Really Secure?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/\",\"name\":\"Savvy Security\",\"description\":\"Practical cybersecurity advice\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/#\\\/schema\\\/person\\\/1ce9a5743b7f25b5be6e4972864b4493\",\"name\":\"Savvy Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4e5539150b16b5af1d22136f03dedda89a96babb3e9b5ceb18c2bde4e1dcba57?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4e5539150b16b5af1d22136f03dedda89a96babb3e9b5ceb18c2bde4e1dcba57?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4e5539150b16b5af1d22136f03dedda89a96babb3e9b5ceb18c2bde4e1dcba57?s=96&d=mm&r=g\",\"caption\":\"Savvy Security\"},\"description\":\"Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24\\\/7 security teams.\",\"sameAs\":[\"blogadmin\"],\"url\":\"https:\\\/\\\/cheapsslsecurity.com\\\/blog\\\/author\\\/blogadmin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SMS Security: Is It Really Secure?","description":"SMS security isn't as secure as some companies want you to believe. Let's over the benefits and risks of using this approach to authentication","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/","og_locale":"en_US","og_type":"article","og_title":"SMS Security: Is It Really Secure?","og_description":"SMS security isn't as secure as some companies want you to believe. Let's over the benefits and risks of using this approach to authentication","og_url":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/","og_site_name":"Savvy Security","article_publisher":"https:\/\/www.facebook.com\/cheapsslsecurities","article_published_time":"2022-11-02T21:38:58+00:00","article_modified_time":"2022-11-02T21:39:56+00:00","og_image":[{"width":1600,"height":1000,"url":"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/sms-security-feature.jpg","type":"image\/jpeg"}],"author":"Savvy Security","twitter_card":"summary_large_image","twitter_creator":"@sslsecurity","twitter_site":"@sslsecurity","twitter_misc":{"Written by":"Savvy Security","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/#article","isPartOf":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/"},"author":{"name":"Savvy Security","@id":"https:\/\/cheapsslsecurity.com\/blog\/#\/schema\/person\/1ce9a5743b7f25b5be6e4972864b4493"},"headline":"SMS Security: Is It Really Secure?","datePublished":"2022-11-02T21:38:58+00:00","dateModified":"2022-11-02T21:39:56+00:00","mainEntityOfPage":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/"},"wordCount":2435,"image":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/#primaryimage"},"thumbnailUrl":"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/sms-security-feature.jpg","keywords":["featured","Secure SMS","SMS Security"],"articleSection":["SMB Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/","url":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/","name":"SMS Security: Is It Really Secure?","isPartOf":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/#primaryimage"},"image":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/#primaryimage"},"thumbnailUrl":"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/sms-security-feature.jpg","datePublished":"2022-11-02T21:38:58+00:00","dateModified":"2022-11-02T21:39:56+00:00","author":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/#\/schema\/person\/1ce9a5743b7f25b5be6e4972864b4493"},"description":"SMS security isn't as secure as some companies want you to believe. Let's over the benefits and risks of using this approach to authentication","breadcrumb":{"@id":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/#primaryimage","url":"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/sms-security-feature.jpg","contentUrl":"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2022\/11\/sms-security-feature.jpg","width":1600,"height":1000},{"@type":"BreadcrumbList","@id":"https:\/\/cheapsslsecurity.com\/blog\/sms-security-is-it-really-secure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cheapsslsecurity.com\/blog\/"},{"@type":"ListItem","position":2,"name":"SMS Security: Is It Really Secure?"}]},{"@type":"WebSite","@id":"https:\/\/cheapsslsecurity.com\/blog\/#website","url":"https:\/\/cheapsslsecurity.com\/blog\/","name":"Savvy Security","description":"Practical cybersecurity advice","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cheapsslsecurity.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/cheapsslsecurity.com\/blog\/#\/schema\/person\/1ce9a5743b7f25b5be6e4972864b4493","name":"Savvy Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4e5539150b16b5af1d22136f03dedda89a96babb3e9b5ceb18c2bde4e1dcba57?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4e5539150b16b5af1d22136f03dedda89a96babb3e9b5ceb18c2bde4e1dcba57?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4e5539150b16b5af1d22136f03dedda89a96babb3e9b5ceb18c2bde4e1dcba57?s=96&d=mm&r=g","caption":"Savvy Security"},"description":"Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24\/7 security teams.","sameAs":["blogadmin"],"url":"https:\/\/cheapsslsecurity.com\/blog\/author\/blogadmin\/"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/posts\/7813","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/comments?post=7813"}],"version-history":[{"count":0,"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/posts\/7813\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/media\/7821"}],"wp:attachment":[{"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/media?parent=7813"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/categories?post=7813"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapsslsecurity.com\/blog\/wp-json\/wp\/v2\/tags?post=7813"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}