Chapter 8 will cover Short Message Service (SMS) attacks. Today's incredibly functional smartphones are where a lot of the world conducts most or even all of their computing. Many people have only a cell phone to connect remotely to another person, be it a phone call, messaging, or email. For many people, especially younger people, most of their Internet browsing is conducted from a cell phone. So, it makes perfect sense that criminals will go where their potential victims are.

The small form factor and inability to easily distinguish between real and fraudulent SMS messages has led to an entire new genre of crime. In many cases, the insecurity of SMS makes MFA solutions that rely on it even less safe than simple logon names and passwords.

This chapter describes what SMS is and why it is abused, presents examples of real-world attacks, and finishes with how SMS-based MFA developers and users should defend themselves.

Introduction to SMS

SMS is a popular text-based messaging service standard that nearly all cell phones support. Already in widespread use by the 1990s, it is rare that a cell phone doesn't support SMS. It was and is the original chat-based “killer app” that took over the world. Today, many people use other chat apps like WhatsApp, Skype, Facebook Messenger, Google Hangouts, and Instagram, but almost everyone uses SMS because everyone else has it and it's always active and loaded.