Are text messages secure enough to communicate freely? There have been rising concerns about the security of SMS as a communication channel, but nowadays, nothing is entirely safe. Every system has its vulnerabilities, even the most technologically advanced ones.
Take LastPass, for example – you'd think password management software would be impenetrable, but even that isn't safe from cyber attacks. Is WhatsApp safer than texting, then? Or Facebook Messenger? In some ways, maybe. But apps like Facebook Messenger and WhatsApp come with their own set of vulnerabilities and security risks.
The best you can do when using any digital channel or software is to take precautionary measures to mitigate all known risks. As long as you do that, there's no reason not to use SMS for verification or as a communication channel for reaching existing and prospective customers.
The security risks of text messaging
SMS is one of the most widely used channels for communication all over the world. Why the scepticism around its safety, then? What exactly are the security threats and concerns around using SMS for business communications? Here are the top SMS security issues you should know about.
Are SMS messages encrypted? No.
End-to-end encryption is where plain text is converted into scrambled SMS data at the point of transmission. It's then converted back into readable text at the recipient's end. So with encrypted messages, only the sender and receiver know the actual message content.
Text messages aren't encrypted, and because SMS doesn't have this type of encryption, mobile phone networks and other third parties can see the contents of your unencrypted text messages if they receive or intercept them (accidentally or intentionally). In case you were wondering if it is safe to send sensitive information by text, it isn't, and now you know the reason.
Why can't we just encrypt SMS messages?
Unfortunately, SMS encryption isn't possible because SMS technology doesn't support advanced encryption security features. It works via legacy transmission protocol, meaning it doesn't have the end-to-end encryption capabilities of certain instant messaging channels, such as WhatsApp or Viber.
Even if the infrastructure supporting SMS transmission were upgraded in the future to something more modern and advanced, it likely wouldn't be compatible with all the many different mobile device types and platforms used by the general population. So, that could cause a major disconnect between your business and the significant proportion of your customer base or leads that sign up for your SMS marketing.
Can someone intercept your text messages?
SMS doesn't have totally secure delivery mechanisms and protocols – and the fact that messages aren't end-to-end encrypted doesn't help. Text message hacking is possible, and if sensitive information falls into the wrong hands, the consequences can be highly detrimental.
For example, imagine you request a 2FA PIN code by text when logging into your bank account. If a hacker intercepts this SMS and has also collected other sensitive data belonging to you, such as your password and answers to security questions, they could gain access – and potentially clean out your account.
SMS messages are often intercepted via man-in-the-middle attacks, in which a third party may pretend to be the actual recipient or find a vulnerability in the connection between the sender and the recipient and exploit that vulnerability to access the messages being exchanged without either party knowing.
SMS phishing
SMS phishing (or smishing) is a type of social engineering attack where victims are tricked into giving away sensitive information to an attacker. They usually steal this information by getting you to click on a malicious link in the text message, which can either download malware onto your phone or lead to a fake website. In both cases, cybercriminals hope you'll type in confidential information that they can then access and use fraudulently.
SMS spoofing
SMS spoofing is very similar to smishing. This is where cybercriminals impersonate a legitimate individual or organisation (like your bank) to deceive you and extract sensitive information. They alter the sender's phone number and/or contact name to make it look like the text message is coming from someone you know and trust.
An example is getting a text message from your bank, but something about it seems odd. Maybe the company name is the same, but one letter has been changed, e.g. instead of PayPal, it's Paypal with a lowercase 'p'. Spoofed texts look very convincing, and if you happen to click a link in the message content or reply to an individual, this gives scammers a green flag to steal from you.
SMS traffic pumping
SMS pumping is also known as an artificially inflated traffic attack. It's where fraudsters abuse a phone number input field online to request a one-time passcode (OTP) or a download link by text message. If controls aren't in place limiting the number of times each user can request an SMS from your business, this can inflate traffic and exploit the secure texting API, system, or app you use.
This type of scam generates income for the attacker and, as such, can cost businesses a great deal of money. If you suddenly notice an uptick in PIN code requests from random countries, your application has probably been affected by SMS pumping.
MMS messages can contain viruses
SMS is secure in that it is only based on text and so, it can't be used to transfer malicious content via file attachments. MMS, on the other hand, opens you to another new type of risk because of its ability to transmit different kinds of files. Messente's Security Manager, Marko Sulamägi, explains that MMS messages can contain viruses in the form of seemingly harmless attachments that could end up wreaking havoc on your mobile device. He emphasizes how important it is to be careful what you click on to download to your phone.
Why is SMS still used, despite the risks?
These security risks are a concern; however, no other communication channel has the same level of global penetration as SMS.
You might be tempted to switch to WhatsApp for sharing two-factor authentication codes with customers. But to do this, your customers need to download WhatsApp onto their mobile phones. Can you force them to download an app just to use your service? Absolutely not – people will only use the apps they like and find convenient.
SMS is a native app built into every text-enabled mobile phone; even the most basic feature phones can send and receive text messages. SMS doesn't require any extra app to be downloaded and installed, and there's no hardware to worry about.
Six top tips to enhance security for SMS messaging
There are plenty of things you can (and should) do to minimise the security risks around SMS messaging. Some of these involve educating customers about secure text messaging and the steps they can take at their end to use SMS safely.
1. Stay updated and be aware of potential texting scams
It's vital to stay in the loop about cybercrime to spot new threats when they arise. Keep an eye on the news because many different types of text scams are always in the headlines with warnings and tips on how to avoid them. Word travels fast!
2. Consider RCS and iMessage
All sorts of rich communications are safe to a certain degree. RCS is how you encrypt text messages on Android, while iMessage is for secure text messaging on Apple iOS devices.
Rich Communication Services (RCS) was created by Google as an upgrade to SMS, and to rival Apple's iMessage. Both allow users more flexible messaging features such as media attachments, group chat functionality, and real-time typing indicators. Notably, both RCS and iMessages are end-to-end encrypted, meaning that if they're intercepted, no one can decode the contents, not even Google or Apple.
Since RCS and iMessage are encrypted, they can also be much more resource-intensive than SMS. Also, you'll also need an internet connection at both the sender and recipient's end. So yes, to increase text messaging security, you could potentially send SMS over WiFi instead of a cellular network. But this relies on the recipient having WiFi or mobile data, which isn't always possible (for example, in patchy internet areas).
3. Keep mobile devices secured
One easy way to stop unauthorised people from reading text messages is to ensure your mobile phone or tablet is never left unattended. Always lock devices with a PIN or biometric ID, and should the worst happen and your device get stolen, remote wipe it, lodge a formal complaint with the police and get your SIM blocked promptly.
These are useful fraud prevention measures you can educate your customers about through blog posts and marketing campaigns. They will have a direct impact on boosting SMS privacy and making text messaging secure.
4. Avoid sending sensitive information over SMS
If you're sharing sensitive information with customers, don't use SMS – use another channel. For example, if customers want the option to pay by text, don't ask them to send their payment details by text message. Instead, send them a link to a secure online payment portal where they can safely enter their details. (You could still send the link by SMS – in which case you should brief customers in advance on avoiding suspicious messages and ways they can tell texts from your business are genuine.)
5. Use alternate messaging apps depending on specific use cases
You don't want to force customers to download third-party messaging apps, but there's no harm in using other channels if your customers prefer it.
For instance, instead of relying purely on SMS verification, you can adopt an omnichannel approach and use another authentication method. This way, you can let customers choose which channel to use for receiving their PIN code. Viber is a good option for verification as it uses the HTTPS protocol to encrypt messages in transit. It also allows rich content messages to help you create meaningful conversations.
6. Send flash SMS messages
Flash SMS messages can help you preserve customer confidentiality. They appear on the lock or home screen of the recipient's mobile phone and then disappear instead of being stored locally (in the customer's device storage). No content from a flash SMS message can be accessed after it's been closed, so if the recipient's phone is stolen, the text can't be read.
The only risk with flash SMS is that an unauthorised person near the recipient's phone could view it as it pops up. However, it's unlikely that you'd send a flash SMS with sensitive information at the exact time the recipient's phone is stolen.
Practice safer SMS messaging
If you've ever wondered, "Can someone access my text messages?" you now know that yes, it is possible. There are several ways scammers and hackers can threaten SMS security; however, no channel or system is 100% safe – not even those created by tech giants.
Is SMS encrypted? No, but when you consider the advantages of SMS – the extensive and indiscriminate global reach, the exceptionally high (98%) open rates and the convenience it offers customers (being a native app) – they may far outweigh the risks.
By using a secure enterprise text messaging service, taking appropriate preventive measures, and ensuring customers do the same, you can avoid many threats from taking root, ensuring text message security and privacy to a certain extent.
Learn more about secure SMS messaging for businesses in the Messente blog. You can also talk to us about the measures we have in place to help our clients send text messages securely.
Frequently asked questions
Can someone hack your mobile phone through text?
Yes, you might fall victim to a hacking attempt either via a malicious link or a harmful file such as a virus or other malware via an MMS attachment. Be mindful of how you interact with the SMS and MMS messages you receive, especially ones sent from unknown numbers.
Can responding to a text message be harmful?
Yes, it can be harmful to respond to a text message that you don't know the origin of. You never know what the attacker's strategy is. They could easily ask intelligent questions to extract sensitive information from you, and you might not even realise what is happening. We recommend not replying to suspicious texts or Sender IDs.
Is it safe to send passwords over text?
Absolutely not! It's not safe to send passwords over any communication channel, and especially SMS, because SMS isn't encrypted. Other sensitive information, such as bank account info, ATM PINs, answers to security questions, or other personal data, should also not be texted out via SMS. If any of these details are intercepted, they can lead to serious damage.
Are text messages more secure than email?
Both SMS and email have their own pros and cons in terms of security. The level of security will also depend on the measures and practices you have in place, as well as your service providers' policies. For instance, if you're using a secure SMS service and a shady free email provider, the former will be far more secure.
