Why is SMS used as a way of verifying a user's mobile, when it is not even encrypted in transit?

06 Mar.,2024

 

SMS is not exactly plaintext.

The network operator has it in plaintext, but the attack surface there is limited and both organizational and technological measures limit the exposure.

Over the air, it is pretty much encrypted, unless one uses 2G which can be optionally unencrypted and vulnerable to downgrade attacks. Most modern phones can be forced to use 3G and above.

And yes, these encryption methods are considered weak in relation to e.g. TLS and sucessful attacks do exist. But these attacks require equipment, skills and have their own prerequisites (like a great deal of exchanged data, etc...).

SIM swapping and other social engineering attacks are also possible, but they are - again - attacks and they require luck, skills and effort. They are not ready to use access channel. They can fail miserably as well - all the way down to being arrested and prosecuted.

In short, SMS is not that bad for use as a second factor.

edit: There is no good and bad (by itself) method.

There are good and bad methods in relation to the risk spectrum, the stakes and the user base involved. SMS is bad for launching nukes, but good enough for the average Joe's online payments. It is bad as well in regard to the order of an attractive toy use in a kindergarden.

In the security field, "good enough" is quite often the best method, because the security always cripples the usefullnes of the resource in question.

Edit2: As per @Steve comment: the worst second factor is one that users refuse to use because it's "too complicated" or "doesn't work on my system". This will either lead to users having only single-factor authentication, or becoming ex-users as they cancel their service or similar. In that context, a "bad" second factor is still good, because it's better than losing customers or relying on only a single factor. Even more customers can be kept by offering a stronger alternative to SMS (or other weaker second factors) for those customers who appreciate the technical differences and prefer stronger security.

For more information SIP Trunking, Voice Verification Code, please get in touch with us!