Recent research from universities in New Mexico, Arizona, and Louisiana, along with the firm Circle, highlights a growing concern about SMS security. The researchers noted that executing attacks on SMS is surprisingly simple and can be done using common technology and basic web security knowledge.
One major issue is that SMS messages are sent without encryption. This means that sensitive information can be exposed. For instance, in a significant discovery from 2019, researchers found millions of text messages that included usernames, passwords, and private communications between businesses and their customers.
Despite being aware of these vulnerabilities, the risky practice of communicating sensitive information via SMS continues. The researchers point out that they couldn’t analyze the full extent of this problem due to ethical constraints. However, they explored public SMS gateways, which allow users to receive texts without revealing their actual phone numbers. Notable examples include Receive Free SMS and Temp Number.
Through their research, they gathered 332,000 unique URLs from 33 million texts sent to over 30,000 numbers. Alarmingly, messages from 701 sources revealed critical personal information, such as social security numbers and bank account details. This breach of privacy stemmed from weak authentication methods based on token links, allowing anyone with access to these links to harvest sensitive data.
The implications of these findings are significant. A recent survey found that 90% of users believe their SMS communications are secure, highlighting a disconnect between user perceptions and reality. Experts emphasize the need for stronger security measures, such as adopting encrypted messaging apps, to protect personal information.
This research serves as a warning. With SMS remaining a popular communication channel, it’s crucial for both users and companies to recognize the inadequacies of SMS security and prioritize safer alternatives.
