Please Stop Using Text Messaging to Receive Login Codes

This week, a stunning story from Vice revealed how easy it is for an attacker to siphon away your text messages. They don’t need access to your phone; they don’t even need your SIM card. They just need to pay a trivial sum, convince a VoIP wholesaler that they’re a reseller (also a trivial matter), and sign a form swearing that they’re allowed to route messages to your number to another.

As anonymous author Lucky225 writes on Medium:

“Up until sometime on Thursday, March 11th, 2021 NetNumber was allowing any and all wireless phone numbers to have their NNIDs reassigned or hijacked without any authorization or verification as well. Presumably while this author and other journalists were seeking comment, after a proof of concept was demonstrated, it appears they have devised a scheme to pretend this is no longer a problem by temporarily not allowing wireless numbers to be hijacked.”


Furthermore, people use VoIP numbers instead of their real wireless numbers for various services and those folks are still left vulnerable to this attack while only those who don’t care about their privacy and use their real mobile numbers are protected.”

I won’t get into the nitty-gritty of the method that can be used to route your text messages away from your phone, but the fact that it was (and is?) so easy to do, and that you don’t receive an approval query or even a notification that it’s happening, is jarring.

While I’m sure a number of these business-class text-messaging services are tightening up their security, all it takes is an attacker to find one that isn’t verifying this kind of change with the actual owner of the number and it’s goodbye, incoming text messages. And that includes authentication codes you use to verify you’re you when logging into an account on an unknown device.

We’ve said it before, and we’ll keep saying it until all sites and services finally listen: It’s not secure enough to simply use a text message, or two-step authentication, to protect one’s account from unauthorized access. Whenever possible, you should be using a dedicated two-factor authentication app that requires physical access of your hardware—typically your phone—to finish the login process for an account. Text messages are not as secure as you might think. While you might never be the victim of a text-hijacking yourself, this week’s news shows it’s far from an impossibility.

It’s a lot less likely someone will get their hands on your actual smartphone, find a way to bypass the security mechanisms you have in place (touch or facial recognition) to unlock it, get through any secondary security you’ve put onto your particular 2FA app (like a PIN), and then use that to break into your accounts. By then, they will have likely either given up, or you’ll have reset your 2FA and set it up on a new device for your critical accounts, invaliding the old codes entirely.

You shouldn’t have to sign up for a monitoring tool to alert you if, or when, your phone number’s texts are routed elsewhere. (Full disclosure: The aforementioned Medium writer is the director of information at one such company). However, you might just want to anyway, because there are plenty of services out there that still use text messages, and only text messages, to send you login codes.

There’s little you can do if your healthcare provider, gaming website, or another site doesn’t let you use two-factor authentication, only two-step authentication. Pick a strong, unique password, lock it down with a great password-management app, and hope for the best. Also, don’t use obvious answers for your security questions; those should also be “passwords,” and you should track them just like you would any other password.

Finally, don’t not use two-step authentication if that’s all you’ve got. While it’s not 100% secure, it’s a lot better to have it enabled and force someone to jump through extra hoops to break into your account. Don’t just rely on your login+password combination if you can throw a little extra security into the mix.

There are also more extreme approaches, such as using a dedicated number for login codes that isn’t associated with your actual phone number at all. (Google Voice comes to mind; you can have it just email you text it receives, and you can lock down your Google account with two-factor authentication.) While that might not stop someone from randomly hijacking even that number, at least it would help keep you safe from a targeted attack. Well, safer. Isn’t security fun?