IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [sms]

Short message (or messaging) service, a system that enables cellular phone users to send and receive text messages.

222 questions
139
votes
2 answers

Received a set of SMS/MMS containing 2 photos, a voice message, and a text "I need help" with Google Maps link from a known contact. Is it spam?

My girlfriend (let's call her Jane) just got a set of SMS or MMS messages coming from a friend of her (let's call her Hellen). These messages contain: Two photos of Hellen A voice message A text that says "I need help" followed by a Google Maps…
ravasaurio
  • 1,221
  • 2
  • 6
  • 9
137
votes
8 answers

How hard is it to intercept SMS (two-factor authentication)?

A lot of two-factor authentication mechanisms use SMS to deliver single-use passphrase to the user. So how secure is it? Is it hard to intercept the SMS message containing the passphrase? Do mobile networks use any kind of encryption on SMS? I found…
Paul Podlipensky
  • 2,837
  • 4
  • 21
  • 25
84
votes
7 answers

Why is SMS used as a way of verifying a user's mobile, when it is not even encrypted in transit?

I did some research about how secure and private SMS messages are. Providers and governments can see these SMS messages in plaintext, but what is weird is that these messages are not encrypted in transit. According to my knowledge, that makes the…
Mohamed Waleed
  • 1,169
  • 1
  • 5
  • 13
67
votes
4 answers

Are there any security risks in replying to an SMS message?

I routinely receive seemingly harmless SMS messages from unknown people. They're usually simple, like "Hi" or "Hello" or "Are you there?". This happens several times a week, and certainly often enough that it seems to be some sort of organized,…
Caleb
  • 649
  • 1
  • 5
  • 7
50
votes
5 answers

Should the average user with no special access rights be worried about SMS-based 2FA being theoretically interceptable?

Security experts are constantly discouraging users from using SMS-based 2FA systems, usually because of worries the auth code could be intercepted by an attacker, either through a SIM swap or a MitM attack. The problem I see with this statement is…
Nzall
  • 7,313
  • 6
  • 29
  • 45
43
votes
1 answer

Why is SMS OTP not as secure as Authenticator Applications such as Microsoft Authenticator?

Why is SMS OTP not as secure as Authenticator Applications such as Microsoft Authenticator, etc? Is it because of snooping of mobile communications? or?
Nathan Aw
  • 1
  • 7
  • 12
43
votes
6 answers

What is preventing us from sniffing the mobile phone communication?

I'm learning wireless penetration testing. It really is amazing. But it made me wonder, what about mobile phones? They are also means of wireless communication. So, our entire voice must be in the air surrounding us. So, What makes it difficult to…
claws
  • 2,145
  • 5
  • 19
  • 22
38
votes
1 answer

How does a new SMS message overwrite a previous one?

During a talk from a vendor, the speaker mentioned that their product used a "little known feature" of SMS in order to overwrite the last text message received from them. This feature was being used to send a one-time token, so it was quite useful.…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
31
votes
2 answers

If you SMS text someone, how much more information will they know about you?

If I send someone a text, how much information am I giving up? Could they add me to an app like Whatsapp and access my name and profile? Or does their number first have to be saved in my phone contacts for that to happen? What other information…
kandyman
  • 413
  • 4
  • 5
30
votes
6 answers

Is revealing the phone number during OTP verification process considered a vulnerability?

One of the common way of implementing 2FA is using phone number Text message or Call with OTP. As I can see, usually web services show something like: OTP was sent to the number +*********34 Is it done because revealing the number is considered a…
MyUserName
  • 403
  • 4
  • 5
21
votes
4 answers

Could my bank's two-factor authentication be hacked?

When I attempt to log in to my bank, an SMS code is sent to my phone. I then type this nine-character code into the bank's Web site, to login to my account. Is this vulnerable to attack, without hacking the bank's software or server, or without…
user13779
19
votes
4 answers

Are SMS,MMS stored on the network service providers' servers?

Are SMS and MMS sent via a mobile phone stored on telecommunication service providers' servers before passing them to the recipient? Does it depend on the country or does every network service provider have the resources to do something like this?
dev1234
  • 315
  • 1
  • 3
  • 8
18
votes
4 answers

Prevent against OTP abuse in app sign up flow

This may sound like an open ended question, but I would like to take my chances and understand if there is any way the rest of the community is handling this issue. Let's say there is an app that allows users to sign up using their phone number.…
qre0ct
  • 1,492
  • 3
  • 19
  • 30
16
votes
3 answers

Should 2-factor authentication using SMS be deprecated?

Google, Facebook and most of the important websites (banks, payment sites, etc...) use SMS as the major method for 2FA or for controlling the account (password reset, etc..). However, GSM was proven long ago to have vulnerabilities: SS7…
T.Todua
  • 2,677
  • 4
  • 19
  • 28
16
votes
2 answers

is LastPass SMS Recovery a security risk?

According to the LastPass FAQ, employees of LastPass cannot see nor decrypt the stored passwords. LastPass encrypts your Vault before it goes to the server using 256-bit AES encryption. Since the Vault is already encrypted before it leaves your…
eKKiM
  • 285
  • 2
  • 9
1
2 3
14 15