You might think that switching from Facebook Messenger to old-fashioned text messages would help protect your privacy. But standard SMS text messages aren’t very private or secure. SMS is like fax—an old, outdated standard that refuses to go away.
Your Cellular Carrier Can See Your SMS Messages
With SMS, messages you send are not end-to-end encrypted. Your cellular provider can see the contents of messages you send and receive. Those messages are stored on your cellular provider’s systems—so, instead of a tech company like Facebook seeing your messages, your cellular provider can see your messages.
Cellular carriers store the contents of those messages for various amounts of time. Messages are often only retained for several days, but they store metadata (which number sent a message to which number, and at what time) for even longer. These records could be subject to subpoena in legal proceedings—for example, text message records are a common form of evidence in divorce cases.
Compare this to an end-to-end encrypted chat app like Signal. Signal doesn’t have the contents of your communications. Signal doesn’t even know who you’re talking to. Your conversation data is only stored on your device and the device of the person you’re talking to—that’s it.
That aside, should you trust your cellular provider with your conversations? Well, back in 2019, AT&T, Sprint, and T-Mobile were all revealed to be selling customer location data to aggregators. It was used by everyone from bail bondsmen to rogue bounty hunters. (After this was reported in the news, the cellular carriers promised to stop.)
Do you want those companies to see all the contents of your personal conversations?
SMS Messages Can Be Intercepted by Criminals
But SMS messages are used for security, right? There’s a reason every bank and financial institution relies on SMS messages to verify your identity—right?
Well, yes, there is a reason. But that reason isn’t because of security. It’s just that everyone has a phone number. Requiring confirmation via SMS adds some additional security. Even if SMS isn’t particularly secure, it at least ensures that an attacker has to intercept an SMS message in addition to typing in your password.
SMS messages can be intercepted. Mobile phone networks around the world are connected to each other through the Signaling System No 7 (SS7) protocol. This is how your phone can connect to a cellular network and make and receive calls, even when you’re in another country on the other side of the world.
The SS7 system has been repeatedly attacked by hackers who have snooped on SMS messages or intercepted them. This is particularly useful when compromising bank accounts, for example—the attackers can snoop on the verification codes that are generally sent via SMS, use them to access bank accounts, and drain them.
This is why security professionals have recommended against using SMS for two-factor authentication. An app that generates codes on your device or a physical security key is much more bulletproof. (However, if SMS is the only option you have available, SMS is better than nothing.)
SMS Messages Can Be Monitored by Authorities
Governments around the world have access to “stingrays,” devices that essentially impersonate a cellular tower. When placed near your physical location, these trick your phone into connecting to them (as your phone would connect to a normal cellular tower). The stingray device can then track your movements and see your SMS text messages—just like your cellular carrier can.
Beyond local monitoring, SMS messages can also be swept up in larger surveillance systems. According to documents released by Edward Snowden back in 2014, the NSA was, at the time, collecting over 200 million text messages a day from around the globe.
Other countries’ intelligence services also have access to stingrays and SMS-monitoring technology, so it’s clear why encrypted communication apps like Signal and Telegram are especially popular among activists living under repressive regimes. For example, Telegram and Signal are banned in Iran.
Your Phone Number Is Surprisingly Easy to Hijack
Beyond SMS, phone numbers actually have very poor security—at the carrier level. A scammer can call your cellular carrier or go into a store and impersonate you. If the scammer has enough details and can trick your carrier’s customer service representatives, they can get control over your phone number. They may have the carrier “port out” your phone number to a different cellular carrier—just as you’d do if you were switching to another cellular provider. Or, they may have the carrier issue a new SIM card tied to your phone number and deactivate your existing SIM card, removing access to your phone number.
Now the attacker would have your phone number. With that, they can get access to accounts protected by SMS-based two-factor authentication. For an individual scammer, tricking a customer service person is easier than hacking SS7, after all. This is called a “port-out scam” or “SIM swapping attack.”
You can often protect your phone number by adding extra PINs and security features with your cellular provider. Check with your cellular provider to see what security features they offer to protect against port-out scams.
iMessage and RCS: Better Than SMS?
The Messages app on iPhone supports both SMS and Apple’s own iMessage service. On Android, more and more Android phones are gaining support for the more modern Rich Communication Services (RCS) standard. Both are designed to silently “upgrade” text message conversations to more modern, secure ones when both people are using devices that support them. So how do they compare to SMS?
Apple’s iMessage piggy-backs on SMS in a sense, using phone numbers as identifiers. If both you and the person you want to text have iPhones and have enabled iMessage, any text you send will be sent as an iMessage instead. These are end-to-end encrypted and sent through Apple’s servers. You’ll know iMessage is being used because the messages will have blue bubbles. If you see green bubbles instead, the Messages app is using SMS instead—because you’re messaging someone without iMessage, likely a person who is an Android user.
The RCS standard being pushed for Android users—think of it as the Google/Android equivalent to Apple’s iMessage—did not support end-to-end encryption as of January 2021. As of November 2020, Google was working on adding end-to-end encryption to RCS. That means, even with that fancy new RCS system on your Android phone, your cellular carrier can still see the contents of the messages you send, just like with SMS.
The Problems With SMS, Summarized
Let’s quickly summarize the problems with SMS, and compare it to a secure, end-to-end encrypted chat app like Signal.
- Your cellular carrier can see the contents of the messages you’re sending and receiving. Any collected records could be subpoenaed in legal proceedings.
- SMS messages can be intercepted by hackers due to weaknesses in the rickety old protocol that powers them. This puts financial and other accounts at risk.
- Authorities can deploy stingrays to snoop on the contents of text messages in an area.
- Scammers can try to steal your cell phone number by tricking your cellular provider’s customer service staff.
With Signal, for example:
- Your cellular carrier can’t see the contents of your messages. Not even Signal can see the contents of your messages or who you’re contacting—that remains a secret. Signal doesn’t collect this data. If forced by subpoena, Signal can reveal almost nothing about your usage of the service.
- Signal messages can’t realistically be hijacked by hackers. They would have to compromise the Signal encryption protocol, which security experts consider excellent. (In contrast, SS7 has been repeatedly compromised.)
- Stingrays can’t see your conversations. Authorities can’t snoop on the content of Signal messages—not without getting their hands on a phone that contains them. All they can see is encrypted traffic being sent back and forth to Signal’s servers.
- A port-out scam that captures your phone number wouldn’t grant access to your Signal account. You can protect your Signal account with a PIN, so a scammer can’t just access your Signal account. Even if the scammer could somehow guess your PIN and access your Signal account, your Signal messages are stored on your phone and wouldn’t be synced to any new devices that gain access to your account.
What You Should Use Instead
We used Signal as the example here as the contrast is so stark—Signal is the most widely recommended private chat app, with always-on end-to-end encryption.
If you have an iPhone, communicating with iMessage is much more private and secure than using plain old SMS. Hopefully, Android users will one day have secure end-to-end encrypted messages built into their devices after improvements are made to RCS. Unfortunately, iMessage and RCS aren’t compatible with each other, so iPhones and Android phones will have to communicate over SMS—or switch to different chat apps that aren’t built-in.
Other chat apps are an option, too. Telegram is popular, although it doesn’t use end-to-end encryption by default. WhatsApp at least uses end-to-end encryption by default, unlike Facebook Messenger—if you trust a Facebook-operated chat app. But even Facebook Messenger is arguably more secure than SMS—you’re trusting Facebook with your messages, but at least you don’t have to worry about the problems in the ancient, creaky old SS7 protocol.
For two-factor security, it’s best to avoid SMS for really critical tasks. Unfortunately, some services will fall back to SMS authentication anyway—for convenience. There are sometimes alternatives. For example, Google offers Advanced Protection for journalists, activists, business leaders, and politicians who need maximum security for their accounts, and it requires the use of a physical security key. That said, SMS-based two-factor security is still better than nothing.
The Future of SMS: Will It Ever Be Fixed?
SMS is just outdated technology. It clearly was not built with privacy and security in mind, and those design decisions are still with it today.
Hopefully, this will be fixed in the future. If RCS becomes more mature, gains end-to-end encryption, and is available in all Android phones—well, then all Apple would have to do is agree to make RCS compatible with iMessage in some way. Then all modern smartphones would have secure messaging that doesn’t depend on ancient protocols built-in.
For now, it’s best to avoid text messages if you’re concerned about your privacy or the security of your accounts.