Why was SMS never secure?
Updated Mon, January 30, 2023 12:54 EST
Mobile phones are always a weakness. Suppose anyone's device falls into another hand, and it is unlocked. In that case, chances are the other person can read all the messages stored on the phone. There is broadly the same thing when one's SMS getting read between the sender and the receiver at a point when the message is decrypted. End-to-end encryption keeps the message safe and secure, which unfortunately does not happen in SMS.
The Mobile operator can access SMS texts
The SMS messages one sends are not encrypted end to end. This means that the mobile service provider can see the message content that one sends and receives. The messages are stored on the service provider system, similar to Facebook, which can see one's messages.
Mobile service providers store the SMS content for a few days, but the Metadata is stored for a more extended period. The Metadata is the information such as the phone number it is sent and the time of delivery. This type of record is usually used for legal evidence; for example, text messages are commonly used as evidence in divorce proceedings.
The Ghost text controversy
In 2019, many people complained that they had received strange SMS and out of context from family, friends, and other contacts. The mobile service providers confirmed a technical glitch in telecom infrastructure, as old and delayed valentine's day messages were delivered inadvertently. This incident led people to wonder whether SMS was secure enough.
Unfortunately, SMS is not secure enough due to its multi-step process. The message from the first point to the second point is secure; from the sender to the first mobile tower, the message is encrypted but not after that. The mobile service provider keeps the message with it though the sender and receiver may delete it. This is where the risk of hacking is seen wherever there is a lack of encryption.
Hackers look for weak points in the virtual end-to-end path of SMS between the sender and receiver. The entire path consists of different networks, service providers, and computer systems that may have a vulnerability exploited by hackers.
Texts are not stored for just a few seconds during which they can defend themselves from being stolen by hackers but stay for longer periods making odds in favor of the hackers.
It is all about personal privacy
An ordinary citizen is unlikely to text messages that contain military secrets or government secret policies, or any sensitive data that may be of use to a hacker. But what if personal text exchanges that carry gossip about a boss, friend and family details get to read and forwarded to others. It would not be a good feeling. What about certain confidential personal information such as passwords or balances in Bank accounts or tracking down where one is. The idea is not about the big secrets that need to be protected. It is all about protecting one's personal privacy.
Why should one bother about SMS security otherwise?
There are many ways in which terrorists, hackers, undemocratic Governments can hack into the SMS system for their benefits. Many country's governments are hacking into systems using SMS. In 2019 Chinese state actors were involved in developing a Linux-based Malware that could steal SMS from the mobile operator’s network. The malware was installed in the Short Message Service Centre (SMSC) servers of the mobile operator network that handled SMS services.
The malware had a list of keywords that were of geopolitical interest to Chinese intelligence. The sponsored hacker group connected the keywords with the phone numbers which they wanted to track. They interacted with call details records and tracked suspected individuals who were of interest to the Chinese intelligence. This malware was later spotted on the network of a mobile operator by the US cyber-security firm FireEye.
Just like phishing, smishing is the terminology used for hacking SMS messages. One should never forget that they should never respond to call to action on SMS sent from unknown numbers. Fraudulent messages asking one to click on the URL may seem legit, probably from the courier service. One expects a parcel is where people let their guard down for a split-second, which scammers wait for. Hackers almost always prey on the “What if” fear factor of users. SMS from authorities, banks, or the courier is usually greeted with fear that there could be penal action if it is not responded to. Then there is the dilemma of the OTP received via SMS, which calls for the second-factor authorization linked to the mobile.
How to protect yourself from unsecured SMS?
Reacting to any text message should be treated with a measured response. One must pay close attention to the character of the text, which generally reveals itself. For example, messages from unknown sources having intimate greetings such as "Hello Mate," which looks out of character or asking to click on an outdated company URL are treated with caution. If there is doubt, one can check the sender's official website without clicking on the SMS message on the phone. A bank may be offering a lucrative loan offer which may be cross-checked with the website or calling the company directly and verifying the authenticity of the loan offer.
SMS has its simple advantages and worked well with the simple unsmart phone earlier for using test messages for communication. However, with Smartphones, both Android and Apple’s iOS have technology that can send longer texts with an attachment facility. The Apple iPhone has end-to-end encryption, and chats services like WhatsApp and Signal are secure.
Ideally, now with the availability of Smartphones, one needs to be smart to use any texting on WhatsApp only. There are some critical services that one still needs on the SMS platform even now. For example, getting security codes on SMS for authentication of the mobile number or codes from the app cab, flower services, card balance are still needed. This is perfectly ok as long as one is not using SMS for private messages.
Most of the traffic traveling to and from one’s devices is now encrypted, but it only solves half the problem. The risk remains as long as you do not choose what to send or not on SMS.
Get the latest news, invites to events, and threat alerts
VMware issued an immediate patch to fix a severe security flaw in its Carbon Black App Control product
Updated Fri, April 14, 2023 4:28 EST
Fortinet provides critical security updates for 40 vulnerabilities in its products, including FortiWeb, FortiOS, FortiNAC and FortiProxy.
Updated Fri, April 14, 2023 4:28 EST
GoDaddy Unveils a Years-Long Security Compromise Resulting in Malware Installations and Source Code Theft.
Updated Fri, April 14, 2023 4:27 EST
Updated Fri, April 14, 2023 4:27 EST
SAML, or Security Assertion Markup Language, is a process for telling external services and applications the user is the same person who has logged in. The SAML process makes the single sign-on (SSO) technology. It authenticates a user and then uses that authentication for multiple applications. The current version in use is the SAML 2.0, and it has been in use since 2005. It has combined several earlier versions of SAML and is now the modern standard.
Updated Mon, February 20, 2023 8:12 EST
Edge computing is one of the most innovative concepts within the sphere of networking that has got a lot of companies interested these days. The networking philosophy brings computing functionalities to the data source so that bandwidth and latency get minimized. In other words, edge computing involves managing fewer cloud-based processes and getting them to a local area, like an edge server, a computing device, or an IoT device. By managing computation close to the network’s edge, it is possible to bring down the need for long-distance communications that must take place between the server and the client.
Updated Mon, January 30, 2023 1:30 EST
Despite repeated warnings over the years on Password usage, people still make the same mistake, and the most popular passwords are terrible and easy to guess. The easy-to-guess password makes it easy for hackers to steal credentials and cause data loss. Passwords are the main reason for data theft, and experts say it is time to get rid of passwords.
Updated Mon, January 30, 2023 1:27 EST
The awareness about having strong passwords is now in the mainstream, and everyone seems to have realized by now that having passwords like “12345678” or “Password123” is not doing any favor when it comes to security issues. While we are witnessing improved password security, another problem or something complex that needs to get addressed here is the “security questions."
Updated Mon, January 30, 2023 1:23 EST