Is sending passwords through cellphone text messages secure?

Question

Both the sender and the receiver deleted the text after it was sent, but is it still possible that it exists somewhere and that someone can get to it?

Answer 1

It is absolutely not secure. Text messages function essentially the same way email does: your client (phone) forwards it to a server, which then looks up a destination which may be on another network (carrier) and then sends it over where it is held in a mailbox until a phone gets it.

Anywhere along the way it can be copied, retained longer than expected, etc. Lawful interception, unlawful interception, cloned phones, Google+ accounts, etc are all ways a message can end up somewhere unexpected and all that assumes you trust the phone and software on it.

Clear text is compromised text. Always.

Answer 2

Sending the password through sms/texting was, as far as I can tell, originally intended to be used to ensure the password came in through a different medium than the encrypted file you were receiving the password for.

An encrypted file would be sent through email and the user would receive a plain-text sms on his phone with a password. This would necessitate a thief to steal both your laptop (or email inbox access) as well as your phone (or access to your phone's sms inbox) in order to have both file and password.

Currently, smartphones are often set to act as mailboxes too, which means that, even if you send it as a text message, you'll still have both key and encrypted message on the same device. If the phone is subsequently stolen, and the email still resides in the inbox that is accessible from the device, it will simply mean the thief has to also check your text messages sent around the same time and probably from the same contact for passwords if he wants to open it.

So while sending plain-text passwords was never secure, it has worked well enough in the past for us. The fact that we are still perpetuating this habit now that many of our phones are mobile email inboxes as well, though, is.. kind of worse, I guess?

Answer 3

'Secure' is not an absolute. It is a mistake to think in terms of things being secure or not secure. You need to evaluate the security in context - who are the users, what is the threat, what is the value of the thing being protected etc. What are all the controls in place? Is the text message the only bit of information required or is it just part of an authenticaiton/authorisation chain?

Other responses have highlighted that normal SMS messages are very similar to email in that you don't have knowledge or control over what servers the message passes through and therefore, knowledge about how trustworthy the companies, sys admins etc are. You cannot know level of government monitoring etc.

There are a number of recent news articles about failures in two step authentication which uses SMS messages to send an additional code which must be entered. Actually, this isn't strictly speaking two factor authentication, but rather two step authentication, but that is another story.

The common 'thread' in these hacks which have been able to defeat two step authentication has not be about the SMS message being intercepted or stolen in transit - it is actually much simpler and uses the easiest, low tech approach - social engineering. Basically, these systems have been bypassed simply by contacting the recipients cell provider and convincing them, through various social engineering techniques, that they are the legitimate owner and need to have their number forwarded to a new phone - usually some burner phone. Once that is done, the SMS message is simply redirected to the bad guys burner phone and it doesn't matter how secure or not the transport process is. This is why, if you are really concerned, you should opt for a solution which doesn't use SMS, preferring something like google authenticator running on your device. As usual, this is all a play off between convenience and level of threat. For many people, SMS may be sufficient, but for others who are more likely to be targeted, it is too high a risk and as mentioned by others, the purpose/type of the SMS message is also relevant - a full password which gives full access without any other information required is a much higher risk than a one time token with a limited lifetime/use which is only part of a chain of things which need to be used in order to get access.

Answer 4

Here's an interesting summary of GSM encryption of text messages: How hard is it to intercept SMS (two-factor authentication)?

From what I understand, text messages are encrypted as they go through the air. The SIM card provides information to encrypt the message and the cell provider has the information necessary to decrypt it. (It recently came to light that the NSA had hacked into the databases of the manufacturer of around 90% of all SIM cards in the world, a company in the Netherlands called Gemalto, and snagged the data needed to decrypt text messages for all the SIM cards that the manufacturer had produced).

The service provider then does whatever they need to do to get the text message to its intended destination, and I have no idea if that involves encryption or not. It's different than e-mail in that text messages go through the networks of one or more service providers to be delivered and it is encrypted at its most vulnerable points when it is going through the air where anyone could conceivably intercept it.

Text messages are also different from e-mail in that they don't travel through the open Internet like e-mail where anyone could watch it go by. The service providers and governmental organizations like the NSA could easily get it by having a presence in the service provider's network, but your average malicious actor would be unlikely to be able to get inside the service provider's network. As long as you trust the service providers (both yours and the provider at the destination), you aren't afraid of governmental organizations taking your password, and you are pretty sure nobody else will be reading the receiver's phone, then I think sending a password via text is not a problem. It's a much different delivery mechanism than e-mails.

With iMessage (the standard text app) on the iPhone and iPad, the messages are encrypted securely all the way from sender to receiver. Messages are encrypted using the receiver's public key and can only be decrypted using the receiver's private key, which only the receiver has. I will note that it is theoretically possible for iMessage to also encrypt with a special public key that Apple or the NSA has access to so that these messages could also be read by them, but only the holder of the private key would be able to decrypt it. Apple claims it is not doing anything like this, so as long as you trust Apple, nobody can read those messages. The iMessage encryption functionality is only used when both the sender and receiver are using Apple products.

There are also guaranteed secure messaging products like Threema, where emphasis is on encryption that nobody but the receiver can decrypt, but that's overkill for sending passwords in my opinion.

One of the above posters is correct in that security is a not a yes/no question. It's a spectrum from extremely insecure to very secure. Security for the truly paranoid is very difficult, so you just have to choose something that's good enough for you.

Answer 5

No.

Above answers nailed it. There are ways to bluesnarf a cellphone if bluetooth is left on--leaving your phone compromised. There are also ways to recover deleted texts, photos, data on a cellphone using FTK or any decent digital forensics tool if someone has physical access to the phone.