SMS Sign-In Links Endanger Millions Worldwide
Recent research highlights the alarming risks associated with SMS sign-in links that jeopardize millions of users worldwide. Conducted by teams from the universities of New Mexico, Arizona, Louisiana, and the firm Circle, the study reveals the alarming ease with which these attacks can be tested, executed, and verified.
Understanding the Vulnerabilities
One of the critical issues is that SMS messages are transmitted unencrypted. Over the years, researchers have uncovered public databases containing previously sent texts that include sensitive authentication links, names, and personal addresses. A notable discovery in 2019 revealed millions of both sent and received SMS messages between a single business and its customers. These messages included usernames, passwords, and confidential information such as finance applications and discount codes.
Recognizing the Scale of the Problem
The researchers faced ethical challenges in assessing the full extent of these vulnerabilities, as a comprehensive evaluation would involve bypassing security measures. Instead, they focused on public SMS gateways—services that allow users to receive SMS messages without exposing their actual phone numbers.
While this approach provided only a limited snapshot, the findings were significant. The researchers analyzed 33 million texts, identifying 332,000 unique SMS-delivered URLs sent to over 30,000 phone numbers. Their investigation underscored the serious security and privacy implications associated with these messages.
- SMS messages from 701 endpoints were linked to 177 services.
- These messages exposed critical personally identifiable information.
- Weak authentication methods based on tokenized links were found to be a root cause of the exposure.
Unfortunate as it is, anyone with access to these links can extract personal details from unsuspecting users, such as social security numbers, birth dates, bank account information, and credit scores. This situation serves as a stark reminder of the pressing need for enhanced security measures and greater public awareness concerning SMS-linked authentication practices.
