The National Institute of Standards and Technology, which publishes guidelines, recently confirmed something security professionals have been saying for a number of years, that SMS is not totally protected.

SMS is really a vulnerable two-factor authentication method, pointed out Michael Lynch, chief strategy officer for Boston-based digital device intelligence company InAuth. "SMS is frequently targeted by fraudsters especially when it is used as some type of one time code or verification."

NIST, the non-regulatory agency of the Commerce Department, specifically singled out risk of SMS when used in 2FA in its latest draft of the Digital Authentication Guideline. NIST stated that SMS messages are vulnerable to interception and redirection. NIST made it clear in a blog that it was not yet banning use of SMS, only discouraging its use. The final guidelines, however, might discourage the use of SMS-based authentication for out-of-band verification

Lynch explained 2FA refers to the accepted security protocol of confirming a user's claimed identity by using two different attributes: a combination of something the user knows (for example, a PIN number), possesses (maybe an ATM card) or is inseparable from them (such as biometrics).

OOB verification is the use of two separate networks to authenticate a user such as when members forget passwords and have temporary passwords texted to their phones. This method, in theory, makes fraud more difficult to commit because two disparate authentication channels need compromising for attackers to gain access.

However, in practice, NIST said, SMS is a vulnerable 2FA method, and determined criminals can exploit it. Because the possession of a person's mobile device is not required, SMS vulnerabilities can expose information through man-in-the-middle attacks or forwarded messages.

Further, criminals can attempt to substitute their own phone number for their victims' number prior to attempting access. The effectiveness of this technique depends on the organization's strict adherence to security protocols in changing account information.

For these and other reasons, fraudsters often specifically target SMS as a potential access point. Malicious software can exploit SMS functionality to send fraudulent text messages or fake incoming SMS messages for phishing, also known as SMiShing. Lynch suggested VoIP services also permit the possible interception of SMS messages.

Despite these vulnerabilities, the industry has long accepted them for lack of an alternative, Lynch pointed out, because fraud and authentication professionals have struggled to find the right replacement.

Instead of SMS, the NIST guideline recommends the use of tokens, one-time code type generators, and software cryptographic authenticators to prevent fraud. With these tokens in place, changing the pre-registered telephone number is not possible without two-factor authentication at the time of the change, blocking one potential access point from fraudsters.

Communication through dedicated apps, tied with authentication software that delivers point-to-point communication for server-to-client messages down an encrypted path makes for better protection. Lynch said this procedure, which InAuth provides, is remarkably secure. "There is no way for transmissions sent along this route to be intercepted or replayed."

InAuth provides a permanent device ID, InPermID, for mobile apps. The mobile device can then act as a trusted second factor of authentication. In the message process, InAuth sends communication from the server to the mobile app on that device. The recipient receives a push notification about a new message before receiving it. That message, encrypted end-to-send, never travels outside the rails or architecture. There is no external handoff to a third party.

Another best practice for authentication mentioned by NIST is biometrics use. InAuth's browser fingerprint recipe allows businesses to recognize any web-connected device and produce a unique identifier, InBrowserID.

"I understand where they [NIST] are coming from, they highlight vulnerabilities," Lynch said. "The challenge is to do something about it. Using that mobile device as a secure token. You certainly need to make sure you secure that mobile device itself," Lynch said.

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).