Time to Stop Using SMS for Service Messages- It’s Insecure!

Time to Stop Using SMS for Service Messages- It’s Insecure!

Amid desperate times, where a ransomware attack hit over 200,000 computers in over 150 countries, we need to seriously think of text message security. Concerns were being expressed for years over security loopholes in the Signalling System 7- SS7 protocol, the telco standard that is used to send text messages.

Recently it has been reported that hackers have hacked some bank accounts in Germany. They easily managed to exploit the shortfall off SSL7. Hence, with the recent turn of events, customers need to be very careful while banking or shopping online.

Understanding two-factor authentication (2FA)

Two-factor authentication adds an additional step to complete the desired process. A random passcode is delivered via an SMS or a call when you log in to your account as an added layer of protection.

SMS-based two-factor authentications are not secure

Online and mobile banking truly provide the convenience of shopping and banking anytime and anywhere. Unfortunately, this attracts scammers and hackers that are interested in the money included in all this system.

All of us are familiar with One-time password (OTP) messages. When we shop online, we need to provide an OTP to complete the buying process. Even while banking, every time when we transfer the money online we need to provide this one-time password.

Regrettably, SMS-based two-factor authentications have been declared insecure by US National Institute of Standards and Technology (NIST) and had released a draft asking organization to ban it. SMS-based-two-factor-authentication soon might be a thing of past.

Here is the snippet of latest draft

"If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

NSIT mentions that SMS-based two-factor authentication is insecure because it's way too to obtain a phone number and the websites have no control to verify whether the person who receives the 2FA code is the correct recipient.

The flaws in SS7 also allows hackers to divert the SMS containing a one-time passcode (OTP) to their own device, which lets them hijack any service, including Twitter, Facebook or Gmail, that uses SMS to send the secret code to reset the account password.

Perfect Solution: Push Notifications

Push notifications can surely help banking, as well as e-commerce organizations, overcome the security challenges. How?

Push Notifications Lifts Android Security

Keeping Push Notification security tight in Android phones is what Google’s next endeavor. It has already made a recent announcement of instigating some vital security features in the next Android OS.

The world’s most popular search engine is now planning to bring a new feature named Native Android Push Notification. With this exciting set of features, when a new device accesses a Google account, the account holder would be quickly notified through a push notification as to check whether they have signed in. If any suspicious activity is detected, account owners just need to tap the “Review account activity” button to know the details of the newly logged in device.

Block Intrusions

The e-mail notifications for Google is not new and it believes that smartphone users pay 4 times more attention to push notifications on their smartphones as compared to email notifications. Push notifications will always provide Google account holders with the opportunity to change your password before an intruder logs-in. If the situation is a bit worse and you feel that prowler has accessed your account you can immediately change your password and add two-factor authentication that too on the go.


Reach your customers even when they aren't browsing your website