Short Message Service : Security Alternative or Obsolete Technology?

Do SMS have 2FA vulnerabilities?

While SMS-based two-factor authentication (2FA) is effective, it comes with significant risks and vulnerabilities that we should not ignore. A clear example is SIM swapping, as demonstrated by the 2019 attack on Jack Dorsey, co-founder of Twitter. Attackers managed to transfer his phone number to a SIM card under their control, allowing them to access his personal account. This incident shows just how devastating this type of attack can be, as a simple SIM change can compromise the security of sensitive accounts.

Another major risk is SMS interception on insecure networks. In 2017 and 2018, vulnerabilities were discovered in Signaling System No. 7 (SS7), a protocol used by mobile networks to exchange information between operators. This decades-old protocol is essential for managing SMS authentication, routing, and transmission. In one notorious case in the United Kingdom in 2019, cybercriminals managed to intercept verification codes sent by banks to their customers, which allowed them to gain access to bank accounts and fraudulently transfer money.

Lastly, social engineering techniques are a significant threat to SMS-based 2F. A common example involves WhatsApp, where cybercriminals attempt to access the victim’s account by sending a login request. In response to this request, WhatsApp sends a verification code to the user’s number via SMS. The attacker, posing as a friend or contact, then sends a message to the victim saying something like this:

If the victim falls into the trap and forwards the code, the attacker can take control of their WhatsApp account. This highlights how easily human trust can be exploited to compromise security.

So, is it safe to use SMS for 2FA?

While SMS-based 2FA is less secure than other methods such as authenticator apps or physical keys, it is still significantly more robust than relying solely on a password. The key is to not rely exclusively on SMS, but to incorporate it into a broader, more advanced security strategy.

In environments where more advanced methods are not feasible, SMS remains a valuable option due to its accessibility and ease of use. As long as security best practices are in place, SMS-based 2FA can offer an additional layer of protection, and this is better than having no extra protection at all.

Why am I not receiving SMS as part of 2FA?

In certain circumstances, SMS used for two-factor authentication (2FA) may not be delivered. One of the main reasons for this is poor network coverage. High-traffic periods such as end-of-year holidays or Black Friday weekend can also lead to delays. These issues are compounded if message filters are enabled in the user’s device or if their inboxes are full, as in both these cases the reception of verification codes will be blocked.

Another relevant factor is network infrastructure and its configuration by their operators. Routing failures in provider networks can lead to authentication messages being incorrectly classified as spam, affecting their delivery.

Likewise, errors in the configuration of the SMPP (Short Message Peer-to-Peer) protocol, or restrictions imposed by certain applications, may temporarily block message delivery if users request multiple codes within a short period of time.

Don’t underestimate the power of SMS in your digital security

Despite the inherent risks, underestimating the value of SMS in digital security would be a mistake. In a world where cyber threats evolve constantly, every additional layer of protection is essential. While authenticator apps and physical keys are more secure and should be our first choice, SMS remains a basic security tool when these options are not viable.

Two-factor authentication is not a luxury, it is a necessity. And while SMS does present some challenges, it remains an option for protecting sensitive information. Ultimately, every layer of security matters, and SMS continues to play a key role in safeguarding modern digital security.