Return to resilience: Time to retire SMS.
Richard De Vere, Head of Social Engineering, Ultima and Founder of the AntiSocial Engineer
A subject has been brought to light in the media recently surrounding the continued reliance on using SMS for sensitive communications.
Featuring on BBC’s Rip Off Britain with Angela Rippon later in October, I speak with the BBC on this method that requires immediate modernisation. As a reader of Ultima’s UiQ publication, let’s give you a first look on why it needs to be put to rest, once and for all.
In an era dominated by digital communication, SMS (Short Message Service) has retained its significance as a quick and effective way for companies to interact with consumers. However, the increasing reliance on SMS messages as a communication channel comes with its own set of cybersecurity risks and vulnerabilities. As businesses strive to maintain a seamless connection with their customers, it's crucial to understand the potential threats posed by this seemingly innocuous mode of communication.
The appeal of SMS communication
SMS communication offers several advantages that have contributed to its continued popularity among companies and consumers. It's widely accessible, does not require internet connectivity, and has a high open and read rate. Companies appreciate SMS for its ability to deliver timely messages, such as promotional offers, transaction alerts, and service updates, directly to customers' mobile devices. However, this convenience can mask the underlying security challenges.
Cybersecurity risks and vulnerabilities
Phishing and spoofing:
Cybercriminals can exploit the trust associated with SMS communication by sending fraudulent messages masquerading as legitimate companies. These phishing attempts often contain malicious links or requests for sensitive information, aiming to deceive consumers into sharing personal data or credentials.
SMS messages can be used to distribute malware, such as viruses, Trojans, and ransomware. Unsuspecting users who click on malicious links or download attachments from seemingly legitimate sources can inadvertently compromise their devices and personal data.
SMS messages are transmitted over cellular networks, making them susceptible to interception by malicious actors. Hackers with the right tools and knowledge can intercept messages containing sensitive information, exposing customer data to potential theft.
SIM card swapping:
Attackers can exploit vulnerabilities in the process of transferring a mobile number to a new SIM card. This allows them to take control of the victim's phone number, enabling unauthorised access to SMS-based authentication methods and potentially compromising accounts.
Lack of encryption:
Unlike some newer messaging platforms, SMS messages are not end-to-end encrypted by default. This means that the content of the messages can be accessed by service providers, leaving them vulnerable to unauthorised access or interception during transmission.
Social engineering attacks:
SMS messages are often used as part of two-factor authentication (2FA) processes. However, attackers have been known to impersonate customers and request 2FA codes to gain unauthorised access to accounts, relying on human error and social engineering tactics.
To address these vulnerabilities and enhance the security of SMS-based communication, companies should consider implementing the following measures:
Multi-factor authentication (MFA):
While SMS-based 2FA is widely used, it's recommended to explore more secure alternatives, such as app-based authentication or hardware tokens, to reduce the risk of social engineering attacks.
Employ end-to-end encryption for sensitive communications to ensure that only authorised parties can access the content of messages.
Educate customers about the risks associated with SMS communication, including how to identify phishing attempts and the importance of not sharing sensitive information over text.
Keep software and applications up-to-date to patch vulnerabilities that cybercriminals might exploit.
Implement advanced anti-phishing solutions that can detect and prevent fraudulent SMS messages from reaching customers' devices.
SMS messages remain a valuable tool for businesses to engage with consumers, but the cybersecurity risks associated with their use should not be underestimated. By recognising and addressing these vulnerabilities, companies can continue to leverage SMS communication while safeguarding their customers' sensitive information and maintaining their trust in an increasingly digital world. As technology continues to evolve, a proactive and multi-layered security approach is essential to stay one step ahead of cyber threats.
Catch Richard De Vere on BBC’s Rip Off Britain in October 2023.