Information and communication technologies have evolved rapidly over the last several decades. Today’s smartphones are more powerful than desktop computers used in the 1980s and 90s—despite being a fraction of the size. This rapid technological expansion has brought with it innumerable blessings and challenges for consumers and businesses alike. While the infiltration of tech into nearly every facet of our daily lives has made so many personal aspects of life, such as building and nurturing relationships, much easier to do at a distance, it has also ushered in new opportunities for private citizens to be exposed unwittingly to exploitation and theft.
SMS messaging is often used for 2-factor authorization, but SMS may not be the most secure method for verifying your identity.
What are SMS Texts?
Text messaging was first conceived in the early 1980’s by Friedhelm Hillebrand and Bernard Ghillebaert. The first short message service (SMS) messages were limited to 160 seven-bit characters so they could fit into the signaling formats of the time. Originally, SMS messages only contained text; however, SMS messages can now also include multimedia messages (known as MMS) that feature images, GIFs, videos, sound clips, and emojis.
Today, 83% of American adults own a cell phone and according to a 2011 study by Pew Research, cell phone users send and receive, on average, 41.5 text messages per day–a number which has no doubt increased significantly in our pandemic and post-pandemic world. Despite the rise of social media and Internet-based messaging services, hundreds of millions of text messages are sent every single day in the U.S.
SMS Texts are not limited to personal use. SMS software allows businesses to interact with customers via text. These business-to-consumer text messages are often called “SMS notifications,” and customers are usually prompted to opt-in to messaging during registration or check-out. Customers who do opt-in to receive SMS messages can receive messages about order confirmations, shipment notifications, security authorizations, new account features or log-in activity, appointment reminders, sales and promotions, and so much more.
Are SMS Texts Secure?
SMS Texts are not as secure as the average person believes them to be. The technology behind SMS texts is quickly becoming outdated, as other more secure messaging platforms enter the app marketplace. The average consumer’s optimistic faith in SMS text security might be attributable to the relative lack of SMS text spam compared to email with an enhanced security profile. However, there are many parties, some unwanted, that have access to your texts.
SMS Messages Are Not End-to-End Encrypted
A cellular provider can ‘see’ the contents of SMS messages that pass over its networks. Those messages are stored on the cellular provider’s systems where they can be retrieved at any time for a variety of reasons, and not always at the request or knowledge of the original sender or receiver. SMS content is retained on cellular provider servers for several days, but the metadata (the phone numbers and date/time stamps on the message) are stored for even longer.
This is in stark contrast to end-to-end encrypted chat apps, such as Signal. Signal does not see or retain any of the content sent across its servers. Signal also does not know the identities of the individuals communicating with each other across its platform. Signal conversation data is only stored on the devices of the end users. Apple’s iMessage is another example of secure end-to-end encryption but with one major caveat: iMessage only provides end-to-end encryption when both the sender and recipient are using Apple devices.
SMS Messages Can Be Intercepted By Criminals
Every mobile phone in use around the world is connected to the Signaling System No 7 (SS7) protocol. The technology that allows your cell phone to call anyone in the world, is the same technology that makes SMS texts susceptible to snooping. SS7 Hackers can read text messages, listen to phone calls, and track mobile phone users’ locations by using just a phone number.
SMS Messages Can Be Monitored By the Government
For years, law enforcement agencies have been engaging in the very controversial use of ‘stingray’ devices. A ‘stingray’ device mimics cell phone towers. When a cell phone pings for a single, it can be tricked into linking to the stingray device. The device is able to collect data from any phone its vicinity. That data can be used to identify and track individuals and their associates without their knowledge or consent, and without a warrant.
Alternatives to SMS in Two-Factor Authorization
Deploying SMS as part of your business’ 2FA ID verification protocol does increase the security of your user’s accounts over the use of username and passwords alone. However, there are safer and more effective means of completing two-factor authorization:
- Push Notifications. Push notifications are great alternative to SMS texts because messages are sent via a phone’s internet connection rather than the phone’s vulnerable SS7 protocol. Selecting the push notification opens an application on the phone where the user, securely logged in, accepts or denies the notification request.
- Voice Calls. Calls are more cumbersome to the end-user but can be highly effective with customers who have limited internet access or as a tertiary authorization when push notifications fail. Verbalized codes are much harder to capture surreptitiously, making voice calls more secure than SMS texts.
- Software tokens. Software tokens by-pass the need for internet connectivity or voice calls by embedding the authorization token in pre-installed applications on a piece of hardware.
Protect Your Business With Integrity
Business-to-consumer communication is greatly eased with the use of SMS texts, particularly as a part of a business’s ID verification protocol. Indeed, the adoption of SMS texts as part of online security two-factor authorization (2FA) arose out of the ubiquitous use of cell phones. But the greatest benefit with SMS is also its greatest weakness: These messages are not as secure as they are perceived to be. Nevertheless, deploying SMS as part of your business’ 2FA ID verification protocol does increase the security of your user’s accounts over the use of username and passwords alone.
Layered Identity verification as Part of a 2FA World
That is why it is important to deliver a secure 2FA solution by layering KYC or identity verification on top of a 2FA solution. For instance verifying the user’s identity, their mobile number and then adding the 2FA creates a “belt and suspender” approach to minimizing fraud. Contact Integrity by Aristotle today and learn how we can provide you with proven and secure identity verification solutions that suit your business and consumer needs.