📱 Avoid Text Messages over SMS
| TYPE | AUDIENCE | PRIORITY | COMPLEXITY | EFFORT | COST | UPDATED |
|---|---|---|---|---|---|---|
| Conduct | 🧑 | ⭐⭐⭐⭐⭐ | ⭐ | 🧑 | 🆓 | 2021-06-12 |
Rationale
- SMS text messages (SMS) are insecure. We should use secure channels instead.
advanced details👩💻 : There are various methods by which SMS messages can be intercepted or redirected. SMS messages are also dependent on your SIM card - so if your telco registers another SIM with your number and hands it to somebody else (for example someone pretending to be you), then suddenly they and not you will receive the messages intended for you. SMS is also not End-to-End Encrypted (E2EE). This means that anybody who has access to the messages while they are in transit (i.e. being sent to or from your phone), can read them without issue.
Instructions
What you should know
E2EEis short for End-to-End Encrypted, and it means that only the people on the devices who are in the chat can read and write message in the chat. Anyone who tried to intercept the messages before they arrived on the other chat participant's phone would just "see" meaningless digital noise.
What you should do
1. Don't use SMS for communication
- Don't send SMS - Instead use secure apps like Signal for your communication.
- When you receive an SMS from a contact - You cannot control who sends you SMS messages, but if you ever receive an SMS message from a contact, write back to them and explain why they should only communicate with you through secure channels like Signal.
2. Remove your phone number from web services
The goal is the prevent web sites from sending you SMS messages (for example with security tokens or login codes), so you should login to the web services which have your phone number (e.g. Facebook, Google, Microsoft), and either:
- See if it is possible to remove your phone number from the account entirely. Usually this option is available from the "Account Settings", "Profile", "Contact Details" or "Security".
- Disallow the service to contact you via SMS.
- Note: If the security setup currently uses SMS as part of your Multi-Factor Authentication (MFA/2FA) flow, read the instructions in 🔒 Setup an Authenticator for Multi Factor Authentication and learn how to use "Timed-One Time PassWords (T-OTP)" instead of SMS messages as your second factor
3. Learn which Apps support E2EE for text messages
Read the guide to 📱 Text Message over E2EE Apps, so you know which apps you can trust your messages to, and when to suggest switching to a more secure channel.
Sources : KrebsOnSecurity