U.S. government says SMS codes aren’t safe – so now what?
We’re all familiar with the SMS text message based security codes used as a security feature by huge numbers of websites from social networks to email to online payments. This is the feature that aims to verify your identity after you log in with a password, by sending a text message to your phone with a code that you use to access the site.
But SMS security codes aren’t safe and should be avoided. That’s the news that’s been circulating over the last few days from NIST – the National Institute of Standards and Technology, the U.S. Government agency that sets the standards for everything from the electric power grid to atomic clocks to personal health records.
So what’s wrong with SMS codes? Are they really unsafe? And if they are, what can we use instead?
SMS codes are really just one form of what’s called “two-factor authentication,” or 2FA. The goal of a 2FA system is to help guarantee that the person logging in with your password is actually you rather than a hacker who has guessed or stolen your password, or recovered it by cracking the passwords in a password dump from a hacked web site. “Two factor” refers to the fact that the system uses more than one way of verifying your identity – the password is the first factor, and the SMS code is one way of providing a second factor.
There are several problems with SMS-based systems that led NIST to decide that SMS-based systems are insecure:
SMS messages can be delivered through a Voice Over IP (VoIP) network rather than a mobile carrier and are only as secure as the websites and systems of the VoIP provider. If a hacker can interfere with these systems, she can intercept the SMS security codes or have them rerouted to her own phone.
The phone number used for SMS messages is associated with a SIM card (not with a phone) through a database maintained by the carrier (either a mobile carrier or a VoIP provider). If a hacker can persuade the carrier’s customer support agents that she is the user and has lost her phone, the phone number can easily be linked by the carrier to a new SIM card that the hacker has. All SMS security codes would then be sent to the hacker rather than to the legitimate user.