is sms encrypted?

Is SMS encrypted?

Up until the last 10 years or so, no one really discussed the security of SMS. 

Because it was mainly used for personal texting, there wasn’t really much perceived threat or danger from it being hacked.

It was only when we started to use SMS for the delivery of OTP security codes and other sensitive information, did the safety of SMS come into focus.

As fraudsters used ever more sophisticated techniques to intercept and reroute SMS, the security of SMS became an important topic.

Is SMS data encrypted?

SMS, whether it’s P2P (person to person) or ATP (application to person) IS NOT end-to- end encrypted.

It’s possible for the mobile network, or anyone that manages to intercept the text, to read the content.

This is why SMS or binary SMS is such an attractive target for criminals. With millions of SMS 2fa codes being sent every day,  the potential for large scale fraud is massive.

Mobile networks only retain SMS data for a few days but other information is kept for much longer. 

Information like the mobile number, dates and times of messages sent and received could be released to law enforcement agencies if mobile networks were required.

What are the SMS security issues?

There are a few ways that unencrypted texts can be accessed and used.

Hackers can intercept your texts

Mobile phone networks use something called the SS7 (signalling system 7) protocol. It’s how the networks communicate and how your phone connects to a mobile network, wherever you are.

The SS7 system itself has security flaws that leave it vulnerable to attack. All criminals need, to hack into SS7, is a laptop running Linux and the SS7 development kit, both of which are free to download.

Once hackers have connected to an SS7 network, they can fool the network into believing that they are actually a network subscriber and access voice and SMS data for that mobile number.

If hackers successfully intercept 2fa codes sent from banks, they could potentially reset bank details, locking the real customer out of their account.

Your SMS data can be monitored by authorities

SMS security

With the correct permissions, government and law enforcement authorities can deploy stingray devices which act as temporary mobile phone signalling masts. 

Your phone will connect with them in the same way as they connect to the mobile network mask and your data is then exposed.

Amazingly stingray devices or IMSI catchers as they’re sometimes known, are available to purchase on the web.

Mobile phone retailers can be fooled into giving mobile numbers to fraudsters

If a criminal has a modest amount of ID documentation like a copy of a driving license and household bill, they can easily convince a member of staff to hand over a mobile number.

This would allow them full access to all your data and monitor incoming calls and texts.

Using this data they can quickly lock a victim out of their online accounts and commit wide scale theft.

Will SMS ever be encrypted?

Verified SMS

There are no plans to encrypt SMS. The technical complexities of making such drastic changes wouldn’t be practical even if there was cross network agreement to do so.

It’s likely we’ll see a shift away from SMS for sending security codes as criminals take increasing advantage of the security flaw.

Why is SMS used for 2fa codes if it’s not secure?

This is more of a question of convenience than security. 

SMS is ideal for sending security code because every phone on the planet can send and receive texts, without having to download a separate app like WhatsApp or Imessage.

If you have a phone, you can receive a code by text. So SMS for 2fa isn’t ideal but it’s a great deal more secure than using not using 2fa at all.,

The chances of a 2fa code being hacked and then successfully used to access an account are still very rare indeed. That may explain the lack of urgency to develop a universal alternative.

Is SMS more secure than email?

The vast majority of commercially available email systems like Gmail and Outlook are not encrypted.

With email you have the added danger that your device could be hacked, exposing not just the email folders but all other unprotected files on the device.

Computer malware, spyware and other malicious systems are far more prevalent on computers.  Attacks are also more successful on laptops and computers than they are on mobile phones.

For that reason, SMS is probably more secure than email.

That’s not because there are enhanced security features with SMS, it’s just that the devices themselves tend to be more secure and less targeted.

SMS Pumping Fraud poses additional risk

A new type of fraud called SMS pumping could threaten the use of SMS for OTP. In this new criminal activity, web forms that generate OTP texts are attacked by fraudsters, triggering large numbers of outbound OTP SMS.

They then generate a revenue stream by taking advantage of a revenue share offered by the mobile network.

Users of SMS API services can easily find that all their text credits have been used and that they’re facing a large and welcome additional cost.

SMS trashing is another form of fraud that business SMS users need to be aware of.

Related articles

SMS OTP – A guide for 2022 A guide to one time passwords

What is MO and MT SMS? More mobile industry jargon explained

What is P2P SMS? a simple guide 

A guide to 2fa SMS 2 factor authentication by SMS. 

SMS Data Retention setting limits on how long we hold your data. 

author avatar
Henry Cazalet Managing Director
Co-founder and Director of The SMS Works, a low cost and powerful SMS API for developers. About Henry