INDUSTRIAL MANUFACTURING BLOG YOU SHOULD BE READING

Why is SMS used as a way of verifying a user's mobile, when it is not even encrypted in transit?

06 Mar.,2024

 

SMS is not exactly plaintext.

The network operator has it in plaintext, but the attack surface there is limited and both organizational and technological measures limit the exposure.

Over the air, it is pretty much encrypted, unless one uses 2G which can be optionally unencrypted and vulnerable to downgrade attacks. Most modern phones can be forced to use 3G and above.

And yes, these encryption methods are considered weak in relation to e.g. TLS and sucessful attacks do exist. But these attacks require equipment, skills and have their own prerequisites (like a great deal of exchanged data, etc...).

SIM swapping and other social engineering attacks are also possible, but they are - again - attacks and they require luck, skills and effort. They are not ready to use access channel. They can fail miserably as well - all the way down to being arrested and prosecuted.

In short, SMS is not that bad for use as a second factor.

edit: There is no good and bad (by itself) method.

There are good and bad methods in relation to the risk spectrum, the stakes and the user base involved. SMS is bad for launching nukes, but good enough for the average Joe's online payments. It is bad as well in regard to the order of an attractive toy use in a kindergarden.

In the security field, "good enough" is quite often the best method, because the security always cripples the usefullnes of the resource in question.

Edit2: As per @Steve comment: the worst second factor is one that users refuse to use because it's "too complicated" or "doesn't work on my system". This will either lead to users having only single-factor authentication, or becoming ex-users as they cancel their service or similar. In that context, a "bad" second factor is still good, because it's better than losing customers or relying on only a single factor. Even more customers can be kept by offering a stronger alternative to SMS (or other weaker second factors) for those customers who appreciate the technical differences and prefer stronger security.

For more information SIP Trunking, Voice Verification Code, please get in touch with us!

Previous: How SMS Verification Codes Work
Next: Is SMS for 2FA insecure?

china silver coating conductive fabric manufacturer suspension clamp manufacturers wholesale stainless steel faucets china label commercial printer visit our website excavator crane attachment excavator crane attachment Forklift Attachment stainless steel vs glass water bottle stainless steel vs glass water bottle clothing rails heavy duty Expanded Security Mesh Expanded Security Mesh chrome plating machine chrome plating machine chrome plating machine

Related Posts
Guest Posts
*
*
* CAPTCHA
Submit