Short Messaging Service (SMS), commonly called text messages, are a convenient way for organisations to communicate with customers, staff and others. However, SMS messages are also frequently used to send highly sensitive data. For example, one-time passcodes used to access critical systems and services as part of a multi-factor authentication (MFA) system.
Unfortunately, while the qualities of SMS make it a valuable business tool, the technology was never intended to be used to transmit high risk content. Consequently, there are a number of inherent weaknesses in the ecosystem which support SMS.
These weaknesses mean that, where the value of the message content is of interest to bad actors, they are increasingly attempting to exploit SMS.
This guidance does not rule out the use of SMS for transmitting sensitive data. Instead, we advise that you should understand how your organisation uses SMS, and determine whether to put in place additional controls. To aid with that process we outline common use cases for SMS, relevant threats to the technology and possible measures to defend against them.
Mobile telecoms companies are aware of the problems with SMS and are actively working to close vulnerabilities. However, these are complex issues and it may be impossible to fully compensate for the inherent weaknesses of the system. So, any organisation using SMS must have a clear understand of how and where the technology is used and take steps to mitigate or reduce associated risks, where appropriate.
Why SMS is popular
The Short Messaging Service (SMS) was originally developed as an engineering signalling system. It was not designed as a method for transmitting secure messages.
SMS has a number of qualities which make it attractive for business use:
ubiquity – the vast majority of mobile phones globally support the SMS protocol making it easy/cheap to develop services
familiarity – consumers understand SMS
timely – SMS messages generally get delivered, globally, within a few seconds
inexpensive – relatively low cost to use
reliability – the store and forward nature of SMS means it is often seen as a ‘fire and forget service’
Organisations, particularly Banks, use SMS for the following purposes:
to send information to customers
to send one-time passcodes to customers
to confirm a questionable transaction
General threat protection advice
1. Know your estate
Before you can determine which protections you should put in place, you must first understand exactly where and how your organisation uses SMS. You should then assess the level of risk associated with these business process.
For example, simple updates on the progress of a product application are likely to be deemed ‘low risk.’ Their value to an attacker is unlikely to justify the effort needed to subvert the SMS sending process. This situation is unlikely to warrant investment in additional protective controls.
Conversely, a one-time passcode sent by SMS and used to authorise new payments could be deemed 'high risk'. This type of message would be high value to an attacker and therefore justify investment in additional controls.
You should create and maintain a formal record of how and where your organisation uses SMS.
Even if the risks are deemed to be low, this inventory is vital in order to rapidly assess the impacts of new or increased attacks against SMS.
2. Consider alternatives to SMS
There are many ways by which SMS can be compromised and full defence against such attacks is not possible.
In some cases there may be alternatives to SMS, such as the Push Notifications offered by the iOS and Android ecosystems.
3. Protect the integrity of customer phone numbers
Whilst many attacks against SMS are complex and technical in nature, it's also possible to subvert SMS-reliant tasks by targeting the underlying database.
For example, access to the database which holds customer’s genuine mobile numbers would allow an attacker to alter records, diverting SMS messages to a number under their control.
Before allowing phone numbers to be amended, there should always be a robust process of customer authentication, ensuring that only the legitimate owner of that number can change it.
When a phone number is updated, a message notifying of the change should be sent to the old phone number, asking the customer to make contact if they did not make this change. It may also be prudent to send this message by some means other than SMS, email for example. This checking process should itself be protected from social engineering attacks of the form: “I didn’t ask for the change, please change it back to xxxxxxx.”
When a phone number is updated, the change should be time stamped. When the number is used to send a ‘high value’ SMS, the enterprise should make a risk-based decision on the age of the phone number (typically older numbers are likely to be more trustworthy)
You should treat the customer’s mobile phone number as having value. As such, when displayed (for example as confirmation of the number an SMS will be sent to), the number should be partially masked so that it's of no value to an attacker, but still recognisable by the customer.
The organisation should identify, and if appropriate take action, where the same mobile number appears to be in use by different customers.
This could be an indicator of fraudulent use or could be the reallocation by a telecoms company of an old number. In the latter case it is important from a reputational risk perspective not to send the former holder’s message to the new owner of the number.