Why You Should Stop Using SMS Security Codes—Even On Apple iMessage


Protect Your Access to the Internet

Facebook, PayPal, Microsoft, Twitter, Sony, Uber, Dropbox, Amazon… the list goes on. It’s strikingly ironic—these companies are rightly pushing us to better secure our apps and services with two-factor authentication (2FA), verification codes when we log in or make payments. But the default 2FA option is usually SMS—one-time codes texted to our phones, and SMS has infamously poor security, leaving it open to attack.

SMS attacks either compromise phones/phone numbers or the messaging centers themselves within mobile networks. These messages are in plain text form—they’re not encrypted between sender and receiver, so if an attacker can access the message, they can read the content.

Phone/phone number compromises include malware that is unwittingly installed by users and will then look for one-time SMS passcodes and send those back to the attacker. Mobile malware can also capture usernames and passwords for websites and apps on the device—although these credentials can be easily harvested by other means. Then we have SIM swapping attacks, where networks are tricked into issuing a new SIM for a target’s phone number. Then any SMS message can be read.

Unlike end-to-end encrypted messaging—such as WhatsApp or iMessage, or even more general over-the-top platforms such as Facebook Messenger, SMS is built into the architecture of the mobile networks themselves. So, the security of your SMS messages relies on the security of those networks, or lack thereof. This issue has been known for years. And last year it was disclosed that hackers had planted malware deep inside multiple networks to intercept messages at will.

Apple’s iMessage feels more secure than other SMS messengers—and it does end-to-end encrypt traffic, but only where both the sender and recipient are using Apple devices. When it comes to SMS messages, including one-time passcodes, iMessage is no more secure than any other SMS platform.

iMessage does do a good job of simplifying SMS one-time passcodes, which can be entered into a 2FA field with a prompted tap. But that does nothing to secure the SMS message itself, which is stored within your standard SMS message…