You might think that switching from Facebook Messenger to old-fashioned SMS text messaging will help protect your privacy. However, standard SMS messages are not very private or secure. SMS is like fax – an old and outdated standard that is still widely used today.
| Join the channel Telegram of the AnonyViet 👉 Link 👈 |
Your carrier can see your SMS messages
With SMS, the messages you send are not end-to-end encrypted. Your mobile service provider (carrier) can see the content of the messages you send and receive. Those messages are stored on your mobile carrier’s system – so instead of a tech company like Facebook seeing your messages, your mobile carrier can see them. your message.
Cellular service providers store the contents of those messages for various periods of time. Messages are usually only kept for a few days, but they even store the metadata (which number sent the message to which number and at what time) longer. These data can be investigated through legal proceedings — for example, text messages are a common form of evidence in divorce cases in the US.
Compare this with an end-to-end encrypted chat app like Signal. Signal does not store your communications. Signal doesn’t even know who you’re talking to. Your chat data is stored only on your device and the device of the person you’re chatting with — that’s all.
Besides, should you trust your mobile carrier? Back in 2019, AT&T, Sprint, and T-Mobile’s America all underground sell customer location data for general companies. This data is used by everyone from bondholders to rogue bounty hunters. (After this was discovered, the mobile service providers promised to stop.)
Do you want those companies to see all the content of your private conversations?
SMS messages can be secretly read and edited by hackers
SMS messages are used for security, right? There’s a reason every bank and financial institution relies on SMS messages to verify your identity — right?
There is indeed a reason for that. But that reason is not for security. It’s just that everyone has a phone number. Request confirmation via SMS only for added security.
SMS messages can be intercepted. Cell phone networks around the world are interconnected through the Signaling System 7 (SS7) protocol. This is how your phone can connect to the mobile network to make and receive calls, even if you are in another country.
The SS7 system has been repeatedly attacked by hackers who have snooped or intercepted SMS messages. This is important when hacking bank accounts, for example – attackers can steal verification codes normally sent via SMS, use them to access bank accounts and use your funds. friend.
This is why security experts have recommended against using SMS for two-factor authentication. An app that generates a code on your device or a physical security key offers much better security. (If SMS is the only option you have, though, having SMS is better than nothing.)
SMS messages can be tracked by the government
Governments around the world have access to “stingrays”, the device essentially pretends to be a cell tower. When placed near your physical location, these will trick your phone into connecting to them (since your phone will connect to a regular cell tower). The stingrays can then track your movements and view your SMS text messages – just like a mobile carrier.
In addition to local monitoring, SMS messages can also be scanned in larger surveillance systems. According to the documents made by Edward Snowden announced in 2014, NSA (US National Security Agency) at that time collected more than 200 million text messages per day from all over the world.
Countries’ intelligence forces also have access to stingrays and SMS surveillance technology, so it’s clear why encrypted communication apps like Signal and Telegram are especially popular among hackers living under repressive regimes. For example, Telegram and Signal are banned in Iran.
Your phone number is very easy to steal
Aside from SMS messages, phone numbers actually have very poor security. Scammers can call your cell service provider or enter a store and impersonate you. In the US, if a scammer has enough details about you personally, they can take control of your phone number. They may ask your service provider to “transfer” your phone number to another mobile service provider. Or, they can ask your carrier to issue a new SIM card tied to your phone number and deactivate your existing SIM card, removing access to your phone number.
Now the attacker will have your phone number. As a result, they can access accounts protected with SMS-based two-factor authentication. After all, it’s much easier for a scammer to trick a customer service agent than to hack SS7. This is called a “money transfer scam” or a “SIM swap attack”.
You can usually protect your phone number by adding an additional PIN and mobile carrier security features. Check with your mobile carrier to see what security features they offer to protect you from scams.
iMessage and RCS: Better than SMS?
The Messages app on iPhone supports both SMS and Apple’s own iMessage service. On Android, more and more Android phones are supporting the more modern Rich Communication Services (RCS) standard. Both are designed to silently “upgrade” text message chats to more modern and secure ones. So which service is better than iMessage, RCS or SMS.
In a sense, Apple’s iMessage supports SMS, which uses a phone number as an identifier. If both you and the person you want to text have an iPhone and have iMessage turned on, any text you send will be sent as iMessage. They are encrypted end-to-end and sent through Apple’s servers. You’ll know iMessage is in use because the message will have a blue bubble. If you see green bubbles instead, the Messages app is using SMS.
The RCS standard being pushed for Android users — think of it as iMessage — will not support end-to-end encryption as of January 2021. As of November 2020, Google is working on adding code end-to-end coding for RCS. That is, even with an RCS system, the carrier can still see the content of your messages.
Quick summary of problems with SMS
Summarize SMS issues and compare SMS to a secure end-to-end encrypted chat client like Signal.
With SMS:
- Your mobile service provider can see the content of the messages you are sending and receiving. Any collected records may be evidence in court.
- SMS messages can be intercepted by hackers due to weaknesses in the old protocol. This puts your finances and other accounts at risk.
- Governments can deploy stingrays to view SMS content in certain locations.
- Scammers may try to steal your cell phone number by tricking your mobile service provider’s service staff.
With Signal:
- Your mobile service provider cannot see the content of your messages. Even Signal can’t see the content of your messages or the person you’re communicating with. Signal does not collect data. If subpoenaed, Signal can say almost nothing about your use of the service.
- In fact, hackers cannot hack the content of your messages. They will have to crack the Signal encryption protocol that security experts say is great. (In contrast, SS7 has been hacked many times)
- Stingrays can’t see your chats. Authorities were unable to track the contents of Signal’s messages. All they can see is encrypted traffic sent back and forth between Signal’s servers.
-
You can protect your Signal account with a PIN, so scammers can’t access your Signal account. Even if a scammer can somehow guess your PIN and gain access to your Signal account, your Signal messages are still stored on your phone and won’t be synced. with any new device that has access to your account.
What services should you use to replace SMS
I’ve used Signal as an example here because the difference is clear — Signal is the most widely recommended private chat client, with always-on end-to-end encryption.
If you’re using an iPhone and communicating with each other using iMessage, it’s much more private and secure than using regular SMS. Hopefully one day Android users will have end-to-end encryption secure services built into their devices after RCS is improved. Unfortunately, iMessage and RCS aren’t compatible, so iPhones and Android phones will have to communicate via SMS — or switch to different chat apps that aren’t built in.
Other chat apps are also an option. Telegram is very popular, even though it doesn’t use end-to-end encryption by default. WhatsApp at least uses end-to-end by default, unlike Facebook Messenger. Even Facebook Messenger is said to be more secure than SMS.
For two-factor security, it’s best to avoid SMS for really important tasks. Unfortunately, some services will still use SMS authentication — for convenience. You should also try alternatives like Google which offers Advanced Protection. That said, SMS-based two-factor security is still better than nothing.
The future of SMS: Can the security bug be fixed?
SMS messaging is an outdated technology. It’s clear that it wasn’t built on privacy and security, and those designs are still around today.
Hopefully, this will be fixed in the future. If RCS becomes more mature, end-to-end encrypted, and available on all Android phones — then all Apple has to do is agree to make RCS compatible with iMessage under somehow. Then all modern smartphones will have more secure messaging that doesn’t depend on built-in archaic protocols.
