{"id":975,"date":"2022-07-22T07:30:11","date_gmt":"2022-07-22T07:30:11","guid":{"rendered":"https:\/\/test.thesmsworks.co.uk\/blog\/?p=975"},"modified":"2024-02-05T12:13:25","modified_gmt":"2024-02-05T12:13:25","slug":"is-sms-encrypted","status":"publish","type":"post","link":"https:\/\/thesmsworks.co.uk\/blog\/is-sms-encrypted\/","title":{"rendered":"Is SMS Encrypted?"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

<\/p>\n

Is SMS encrypted?<\/h1>\n

<\/p>\n

Up until the last 10 years or so, no one really discussed the security of SMS.\u00a0<\/p>\n

<\/p>\n

Because it was mainly used for personal texting, there wasn\u2019t really much perceived threat or danger from it being hacked.<\/p>\n

<\/p>\n

It was only when we started to use SMS for the delivery of\u00a0OTP security codes<\/a><\/strong>\u00a0and other sensitive information, did the safety of SMS come into focus.<\/p>\n

<\/p>\n

As fraudsters used ever more sophisticated techniques to intercept and reroute SMS, the security of SMS became an important topic.<\/p>\n

<\/p>\n

Is SMS data encrypted?<\/strong><\/h2>\n

<\/p>\n

SMS, whether it’s\u00a0P2P (person to person)<\/a><\/strong>\u00a0or\u00a0ATP (application to person)<\/a><\/strong>\u00a0IS NOT\u00a0<\/strong>end-to- end encrypted.<\/p>\n

<\/p>\n

\"\"<\/figure>\n

<\/p>\n

It\u2019s possible for the mobile network, or anyone that manages to intercept the text, to read the content.<\/p>\n

<\/p>\n

This is why SMS or binary SMS<\/a><\/strong> is such an attractive target for criminals. With millions of SMS 2fa codes being sent every day, \u00a0the potential for large scale fraud is massive.<\/p>\n

<\/p>\n

Mobile networks only retain SMS data for a few days but other information is kept for much longer.\u00a0<\/p>\n

<\/p>\n

Information like the mobile number, dates and times of messages sent and received could be released to law enforcement agencies if mobile networks were required.<\/p>\n

<\/p>\n

What are the SMS security issues?<\/strong><\/h2>\n

<\/p>\n

There are a few ways that unencrypted texts can be accessed and used.<\/p>\n

<\/p>\n

Hackers can intercept your texts<\/strong><\/p>\n

<\/p>\n

Mobile phone networks use something called the SS7 (signalling system 7) protocol. It\u2019s how the networks communicate and how your phone connects to a mobile network, wherever you are.<\/p>\n

<\/p>\n

The\u00a0SS7 system<\/a><\/strong>\u00a0itself has security flaws that leave it\u00a0vulnerable to attack<\/a><\/strong>. All criminals need, to hack into SS7, is a laptop running Linux and the SS7 development kit, both of which are free to download.<\/p>\n

<\/p>\n

Once hackers have connected to an SS7 network, they can fool the network into believing that they are actually a network subscriber and access voice and SMS data for that mobile number.<\/p>\n

<\/p>\n

If hackers successfully intercept 2fa codes sent from banks, they could potentially reset bank details, locking the real customer out of their account.<\/p>\n

<\/p>\n

Your SMS data can be monitored by authorities<\/strong><\/p>\n

<\/p>\n

\"SMS<\/p>\n

With the correct permissions, government and law enforcement authorities can deploy\u00a0stingray devices<\/a><\/strong>\u00a0which act as temporary mobile phone signalling masts.\u00a0<\/p>\n

<\/p>\n

Your phone will connect with them in the same way as they connect to the mobile network mask and your data is then exposed.<\/p>\n

<\/p>\n

Amazingly\u00a0stingray devices or IMSI catchers as they\u2019re sometimes known, are available to purchase on the web.<\/p>\n

<\/p>\n

Mobile phone retailers can be fooled into giving mobile numbers to fraudsters<\/strong><\/p>\n

<\/p>\n

If a criminal has a modest amount of ID documentation like a copy of a driving license and household bill, they can easily convince a member of staff to hand over a mobile number.<\/p>\n

<\/p>\n

This would allow them full access to all your data and monitor incoming calls and texts.<\/p>\n

<\/p>\n

Using this data they can quickly lock a victim out of their online accounts and commit wide scale theft.<\/p>\n

<\/p>\n

Will SMS ever be encrypted?<\/strong><\/h2>\n

<\/p>\n

<\/figure>\n

\"Verified<\/p>\n

<\/p>\n

There are no plans to encrypt SMS. The technical complexities of making such drastic changes wouldn\u2019t be practical even if there was cross network agreement to do so.<\/p>\n

<\/p>\n

It\u2019s likely we\u2019ll see a shift away from SMS for sending security codes as criminals take increasing advantage of the security flaw.<\/p>\n

<\/p>\n

Why is SMS used for 2fa codes if it\u2019s not secure?<\/strong><\/h2>\n

<\/p>\n

This is more of a question of convenience than security.\u00a0<\/p>\n

<\/p>\n

SMS is ideal for sending security code because every phone on the planet can send and receive texts, without having to download a separate app like WhatsApp or Imessage.<\/p>\n

<\/p>\n

If you have a phone, you can\u00a0receive a code by text<\/a><\/strong>. So\u00a0SMS for 2fa<\/a><\/strong>\u00a0isn\u2019t ideal but it\u2019s a great deal more secure than using not using 2fa at all.,<\/p>\n

<\/p>\n

The chances of a 2fa code being hacked and then successfully used to access an account are still very rare indeed. That may explain the lack of urgency to develop a universal alternative.<\/p>\n

<\/p>\n

Is SMS more secure than email?<\/strong><\/h2>\n

<\/p>\n

The vast majority of commercially available email systems like Gmail and Outlook are not encrypted.<\/p>\n

<\/p>\n

With email you have the added danger that your device could be hacked, exposing not just the email folders but all other unprotected files on the device.<\/p>\n

<\/p>\n

Computer malware, spyware and other malicious systems are far more prevalent on computers. \u00a0Attacks are also more successful on laptops and computers than they are on mobile phones.<\/p>\n

<\/p>\n

For that reason, SMS is probably more secure than email.<\/p>\n

<\/p>\n

That\u2019s not because there are enhanced security features with SMS, it\u2019s just that the devices themselves tend to be more secure and less targeted.<\/p>\n

SMS Pumping Fraud poses additional risk<\/strong><\/h2>\n

A new type of fraud called SMS pumping<\/a><\/strong> could threaten the use of SMS for OTP. In this new criminal activity, web forms that generate OTP texts<\/a><\/strong> are attacked by fraudsters, triggering large numbers of outbound OTP SMS.<\/p>\n

They then generate a revenue stream by taking advantage of a revenue share offered by the mobile network<\/a><\/strong>.<\/p>\n

Users of SMS API services can easily find that all their text credits have been used and that they’re facing a large and welcome additional cost.<\/p>\n

SMS trashing<\/a><\/strong> is another form of fraud that business SMS users need to be aware of.<\/p>\n

<\/p>\n

Related articles<\/strong><\/p>\n

<\/p>\n

SMS OTP – A guide for 2022<\/a>\u00a0<\/strong>A guide to one time passwords<\/p>\n

<\/p>\n

What is MO and MT SMS?<\/a>\u00a0<\/strong>More mobile industry jargon explained<\/p>\n

<\/p>\n

What is P2P SMS?<\/a>\u00a0<\/strong>a simple guide\u00a0<\/p>\n

<\/p>\n

A guide to 2fa SMS<\/a>\u00a0<\/strong>2 factor authentication by SMS.\u00a0<\/p>\n

SMS Data Retention<\/a>\u00a0<\/span>setting limits on how long we hold your data.\u00a0<\/p>\n

<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

Is SMS encrypted? Up until the last 10 years or so, no one really discussed the security of SMS.\u00a0 Because […]<\/p>\n","protected":false},"author":1,"featured_media":86,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"disabled","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-975","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/posts\/975","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=975"}],"version-history":[{"count":0,"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/posts\/975\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/media\/86"}],"wp:attachment":[{"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=975"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=975"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=975"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}