why sms (TXT) is not a reliable 2nd authentication factor

I am sure most readers are aware of the cybersecurity risk. The popularity in Internet services, social media and home banking has given risk to rapid increased in crimes associated with stolen identities or log in credentials.

A lot of financial institutions are sending a SMS or TXT message to user as a means of authentication. The process is almost painless to the users as there is no app to install, no update to worry about.

However, if there is other option available to the users to authenticate themselves from banks or other services from the web site, I would suggest the user to choose in the following order of security

1. Hardware security key like a Yubikey. This is a physical key that needs to be plugged into the computer or phone. It is the most secured form of protection.
2. Biometric device such as fingerprint or face scanner
3. An authentication app like Authy or Saaspass

So why is TXT not my first choice as a 2nd factor authentication. It is because that it is not secured. By default, TXT message are stored as plaintext by the short message service center (SMSC) before they are successfully delivered to the intended recipient. These messages could be viewed or changed by users in the SMSC who have access to the messaging system. Spying programs such as FlexiSpy enable intruders to automatically record all incoming and outgoing SMS messages and then upload the logs to a remote server for later viewing and analysis.

In addition, mobile phones that are compromised (eg. Jailbroken, malware infected) can result in TXT messages being read. Many phones are susceptible to Trojans like Zeus, Zitmo, Citadel and Perkele, which leverage open access to TXT on mobile phones specifically to intercept these one time passwords

Some organisations may not offer option other than using TXT. One example is Kickstarter. In these cases, the users have to understand the risk and be vigilant about safeguarding the phone against malware.