SIM-swap attacks continue year after year because companies (that know better) leaned into the awful idea of using SMS for password resets and account logins. These companies include Apple, Dropbox, PayPal, Block, Google, and many others.
What is a SIM-swap attack? It’s where a bad guy asks a carrier to port your cell-phone number to their phone. (Carriers are required to port your number easily because of pro-competition laws in the US.) Then, the crook triggers and receives account login info via SMSes from companies and proceeds to steal money and sensitive info from the victim. It happens all the time… Here are just a few of the higher profile instances:
Is there a way to stop SIM swap attacks? Yes, it’s simple: Companies SHOULD NOT LET CUSTOMERS LOG IN via SMS, or allow SMS-based password resetting. If SMS 2FA is offered, it must only be if they provide more secure options like Authy or Google Authenticator (and SMS should never serve as a fallback for account recovery).
For many years, people in the industry have invariably said something like: “Well… offering SMS-based authentication is better *overall* for customer security, because of its convenience (despite its shortcomings) vs other methods” (such as the far-more secure-able use of email for verification). To that I say: “who are *YOU* to deprive your customers of security?” Defending against targeted attacks must be an integral part of any company’s defense posture. It’s so arrogant to say otherwise, and it boils my blood, it really does. Offering SMS-based logins is a bad idea, and it never had a chance of being a good one.
Sending an SMS to a customer is like sending a postcard through the mail. It’s plaintext (not encrypted), and anyone can open your mailbox and intercept/read it (which is what happens in a SIM-swap attack). The protocol was never designed to be secure.
Is SMS the best option for password resets? NO! Reseting passwords via an email is far more secure. Is SMS a good 2FA option? No! Apps like Authy or using email are better. Is logging your customer in via SMS ever acceptable? No! [After reading Hacker News comments, let me be clear – I’m not just talking about SMS 2FA, in fact I’m primarily talking about the ubiquitous state of SMS-based password reseting, user onboarding, and account recovery. All are varying degrees of weak. SMS-based 2FA is, when offered as an option alongside stronger 2FA, the least-bad of the weak-security scenarios but is not the focus of the post.]
Much of the ire relating to SIM-swap attacks has, understandably, been directed at carriers. Indeed, carriers do a terrible job of securing customers’ phone numbers, and may be liable for that shortcoming. But here’s the thing: carriers’ security has always been bad, it has even been legislated into being bad, and other companies have still chosen to build mission-critical systems on top of that weak link.
Despite it being commonplace, it is important to remember that baking SMS into authentication flows was an awful, shortsighted choice made by companies. Despite offering poor security, SMS offers a nearly frictionless way to sign up new customers (think of Uber’s onboarding) and handle password resets, and companies felt they had to match competitors’ adoption of this technique. They dug the hole, pushed us in, and now they must get us out.
Companies adopt the naive outlook that, somehow, crooks won’t try hard enough to SIM swap individuals. Clearly the criminals will – even to the point of pretending to be customers at physical store locations. It’s time for them to call it on this experiment. It failed.
And I’m sorry, but after nearly a decade, we can call it: efforts to strengthen telephony protocols like SHAKEN/STIR, will never happen (to the extent of being fully adopted and strictly enforced, ie useful). If the willpower had existed in the industry, it would have happened 5 years ago. Promises of protocol upgrades never were (and certainly are not now) a satisfactory excuse to continue to send password reset codes over SMS. Nor would a stronger protocol even stop SIM swap attacks. People are being harmed day-in and day-out, while the industry equivocates. [Note: the EU’s “Sim Verify” initiative is worth a look.]
While SIM-swapping attacks are prevalent and headline-grabbing, SMSes are also vulnerable to man-in-the-middle attacks. These are likely carried out frequently by nation states. The fact that nation states can abuse SMS verification may even explain some of the overall inertia in allowing a broken system to remain.
If I sound heated, it’s because I’ve been banging this drum for over 7 years. Others have written about it years ago, and yet SIM-swap attacks continue unabated. I’m frustrated because many of these companies talk a big game about putting their customers’ safety and security first. I’m mad because, with all the intractable problems facing tech nowadays like deepfakes (including audio deepfakes that I wrote about here) and disinformation, this is one that can actually be solved, and yet nothing (concrete) is being done. We need a win, and here’s one for the taking!
To repeat: If some random person convinces T-Mobile, AT&T, Verizon, etc to port my number, MY DIGITAL SAFETY SHOULD NOT BE PORTED AS WELL.
How companies embraced this broken tech
Apple:
Apple helped seal SMS’ role in password resets and account logins via its keyboard feature it announced in 2018: Automatically fill in SMS passcodes on iPhone . It also allows scenarios where SMS can be used to reset your Apple account.
Google:
In 2019, Google followed Apple’s bad idea with the same thing for Android, SMS autofill for one time codes.
Cloud providers like Twilio/Amazon/Microsoft/Google etc:
There is a large industrial complex behind SMS codes. Many companies have profit incentives to continue offering SMS one time codes to customers. Azure, AWS, Twilio, Google, etc. Selling these services is unethical. It’s a fundamentally broken technology, sold as a secure solution.
Money management services
Unbelievably, SMS reset/account login functionality is completely ubiquitous even when it comes to your money, as well as SMS 2FA and account recovery: Wells Fargo, Cash App (Block), Robinhood, Schwab, Paypal, Bank of America, etc etc. Again, these are SMS options offered as a way of “verifying that it’s you”, something that SIM-swapping crooks love to hear. Also, never carelessly change your phone number, you’ll be locked out of your PayPal!
Basically every other company at this point:
From food ordering services to social networks and even data storage firms like Dropbox — SMS is unfortunately, by default, a way to reset your account. If there’s even a way to turn it off, it’s incumbent upon you the user, to go in and opt out –service by service– and disable the crappy tech. Many services don’t offer an opt out.
Customers think they like SMS reset options
Customers don’t understand the broken nature of SMS resets. It’s not their job to. They appreciate that it’s more convenient than resets via email (an actually-secure option) or log in 2FA codes via 2FA apps like Authy. iPhone’s SMS autofill is oftentimes (dubiously) heralded as the best thing in iOS. The issue is: it’s not the customer’s job to understand whether systems are secure, it’s tech companies’.
And tech companies have failed, leaving all of their customers exposed in the process.
Hopefully a combination of lawsuits and legislation will eventually change the status quo. In the meantime, companies need to be brave and call the situation for what it is: a complete shit show. And then roll back their support of SMS verification services.
A few more things:
There have been really fantastic comments on Hacker News:
Traveling in an area where you don’t get SMSes? Shucks, you are locked out. Are you a customer of a bank like Bank of America, which requires SMS 2FA be enabled for any 2FA to be enabled? That’s broken! It’s only your money for crying out loud! Locked out of Viber because you changed numbers? Damn! Citibank “requiring SMS authentication to change the phone number on the account“? Not only is that silly, but that’s a bank that safeguards your hard earned cash! (One that happens to have just been sued by the NY AG for taking inadequate precautions to safeguard users from fraud and online scams, by the way.) Does your carrier stick you with SMS roaming fees? You are paying for shit security. Are you in a place where, if you forget to refill your balance, your SIM gets blocked, denying you SMS? Too bad all of these companies force you to have a SIM :/. Did you know that, as of Oct. 2023 guidance – NIST has harsh guidance when it comes to using SMS or phone calls for user identification? I did not, pass it on! Someone who works at banks in the EU notes that thankfully using SMS there remained more expensive than in the US and it never caught on as much, for SMS 2FA, which is “liable to both security breaches and locking out users”.
All of these commenters testify in a way I never could (with any authority at least) to the myriad ways you can be screwed as customers because of companies’ misguided decisions regarding SMS. It all hammers home the same point from above: the state of SMS-based verification in the industry is truly a shit show. And companies must be brave, suck it up, and roll it back. SMS is not cool anymore. Love your customers, don’t hurt them. Pass it on!
Please share this article wherever you think it may make an impact.
It is insane to me that SIM swapping attacks are entirely preventable and yet allowed to happen by flawed choices regarding the “convenience vs security” tradeoff. Please drop a link in Slack/Teams, or post to Reddit or wherever you feel that consumers or builders may be best informed. Seriously, I don’t have ads or monetize this site at all — these words are literally passion spilling out on to the page. Please share this with a buddy and lets try and change things. SIM swapping attacks are preventable.
Robust Identity services are more important than ever in the age of deepfakes.
Moving away from telephone-number-based identity services is a major and necessary step in realizing robust means of customer identification, which is even more important these days. The era of old school KYC (Know Your Customer) enforcement is over, with fake ID AI services going mainstream. Throw in “voice print” identification services, which have been used for years by financial companies, ISPs, and more – as an awful trend that won’t be useful in the wake of deepfake audio and determined hackers. Check out my post on this from 2021. In any case, we should move away from unencrypted, SIM-swap-prone verification identity services like SMS.
Many ransomware attacks are downstream of SIM-swap attacks
Another seemingly intractable problem facing IT around the world is ransomware. SIM-swapping attacks represent a significant vector for compromising a company’s network. Again, rolling back support for SMS logins could take a bite out of the ransomware scourge.
One HN commenter mentioned the “SIM Verify” initiative in the EU, where companies relying on SMS can at least check to see if a SIM had recently been ported. That’s something, and we’ll see if it goes anywhere, but if the SHAKEN/STIR rollout has taught me anything, changes like this may reach the US many years from now.
Finally, a dedicated home to this question
I created a site at a permanent URL that bluntly answers the question “Is using SMS for logins a good idea?”, for sharing with people in your industry.