Phishable: SMS
What is SMS?
SMS is a method that uses text messages sent to a user's mobile phone to verify their identity. It typically involves receiving a one-time code and using it in the authentication process.
Why is it phishable?
SMS is phishable because it lacks end-to-end encryption and can be intercepted or redirected through techniques like SIM swapping, social engineering, and does not provide any protection against AitM (Adversary-in-the-Middle) attacks.
Common attacks on SMS
- SIM Swapping: an attacker can gain control of a victim's phone number by convincing the victim's mobile career to transfer the phone number to a SIM card under the attacker's control.
- Social Engineering: an attacker can deceive users to disclosing SMS one-time codes by impersonating trusted sources.
- AitM (Adversary-in-the-Middle): a convincingly fake login phishing website created by an adversary can lead to session hijacking. Check out an exploit on SMS here.
- Brute Force: If the one-time code is not time-bound or the allowed number of entries for a code is high, the one-time code can be brute forced.
What should you do if your organization uses SMS?
If your organization currently relies on SMS for authentication, we recommend the following steps for improvement:
1. Implement multi-factor authentication (MFA) wherever possible to add an extra layer of security.
2. Implement phish-resistant MFA, such as Beyond Identity, for hardened security.
If you want to see what other steps you can take to improve your overall security, check out our zero trust assessment for a full analysis on your authentication and device management practices.