How to protect against SMS mobile security weakness

Many banks and corporate IT systems force users to use SMS one-time passwords to secure their accounts, but these can easily be bypassed for most users.

Imagine making a trip to the gym or swimming pool. Before heading to your activity, you lock your valuables away in a locker, meaning your phone and wallet are together. Given that banking providers will often send SMS text messages to your phone in order to approve suspicious transactions, if someone was able to gain entry to the locker and access your cards and your phone (bypassing your phone’s PIN), then surely they would be able to bypass any security measures around suspicious transactions.

This was the fate that faced Charlotte Morgan, who reported in a Twitter thread having had a thief bypass the locks to her gym locker and bypass security on her phone in order to steal money from her bank account and go on a £5,000 shopping spree. Charlotte noted that all her PINs, passcodes and passwords were different.

It is often claimed in security communities that “physical access is game over”, due to the vast amount of power an attacker has with control over your device, but in reality, there are tangible steps that individuals can take to protect themselves from falling victim to such attacks.

Many personal and corporate accounts will often use SMS text messages to deliver one-time passwords to add a further layer of security before someone is able to log into an online account, talk to a customer support representative (for example, using telephone banking) or even enrolling into mobile banking apps (with modern banking apps even displaying your card PIN number in the app user interface itself).

While SMS one-time passwords are not ideal (for example, if someone was able to intercept the message, they could get the code), the alternative is using two-factor authentication (2FA) apps or hardware tokens, which many vendors do not use as the default in order to reduce user friction.

You may well now be thinking that someone’s biometrics (fingerprint or facial recognition) or phone PIN number will prevent a malicious actor from getting access to their text messages. Indeed, security hardening measures on a user’s devices usually focus on making sure the software running on the phone is up to date and free of any malware that could steal data. I personally use apps like iVerify to stay on top of my mobile security; however, these measures can easily be bypassed for most users when it comes to SMS one-time passwords.

By simply removing the SIM card from your phone and placing it into another phone, you can then receive any SMS 2FA messages sent to that phone number without needing to unlock the phone itself. That phone will take the phone number of the previous phone.

For those of you reading this, you can take steps to protect both yourself and your organisation if you are in a position to give security advice within your organisation. By simply enabling a PIN lock on your SIM card, you can prevent a third party from using your SIM card on a different device without first entering that code (or obtaining a bypass code from the network provider, known as a PUK code). This code will also be prompted when the phone is restarted and needs to reconnect with your phone network provider.

An iPhone user can access this feature by navigating to Settings > Mobile Data > SIM PIN to change their SIM pin and activate it for use. On Android, this can be found in Settings > Security > Set up SIM card lock.

As mobile devices transition to using eSIMs instead of physical SIM cards, this is also likely to be less of a problem going forward. With Apple iPhone 14s in the US now exclusively using eSIMs, there is no physical SIM card to be transferred to a different device. That said, it is still possible to set up SIM PINs on eSIMs, and this could add an extra layer of security, particularly if your phone allows the reading of text messages or answering phone calls when in the locked state.

While many of us in cyber security understand the pitfalls of sending one-time passwords over SMS, the reality is that this is something we have no option but to use with many vendors. Therefore, it is best to secure ourselves to the best of our ability in these circumstances. SIM PINs are an important measure to help us in this, particularly while we are reliant on physical SIM cards.

Junade Ali is an experienced technologist with an interest in software engineering management, computer security research and distributed systems.