Overview[1]#

Short Message Service (SMS) is a text messaging service component of phone, Web, or Mobile Network communication systems. Short Message Service uses standardized communications protocols to allow fixed line or Mobile Devices to exchange short text messages

Short Message Service Multi-Factor Authentication#

Short Message Service is often used as an Authentication Factor in Multi-Factor Authentication

The pros and cons of SMS-based codes#

• Pros
  • SMS codes are convenient. There’s no fussing with downloading an app and going through set up for each account. It may be the only option if you don’t have a smartphone.
  • SMS authentication can be a canary in the coal mine. If someone’s trying to break in to your account, the 2FA messages on your phone are warning that it’s time to investigate (and to change your password).
• Cons
  • A crook can hijack your SMSes with a SIM swap scam. If they can convince a mobile phone shop that they are you, they can get them to issue a replacement SIM encoded with your phone number. Your phone will go dead and theirs will start receiving your calls and messages, including 2FA codes.
  • NIST has declared that the age of SMS-based 2FA is deprecated.!! Architectures [1]

The Mobile Application Part (MAP) of the SS7 protocol included support for the transport of Short Messages through the Core Network from its inception. MAP Phase 2 expanded support for SMS by introducing a separate operation code for Mobile Terminated Short Message transport. Since Phase 2, there have been no changes to the Short Message Service operation packages in MAP, although other operation packages have been enhanced to support CAMEL SMS control.

From 3GPP Releases 99 and 4 onwards, CAMEL Phase 3 introduced the ability for the Intelligent Network (IN) to control aspects of the Mobile Originated Short Message Service,[21] while CAMEL Phase 4, as part of 3GPP Release 5 and onwards, provides the IN with the ability to control the Mobile Terminated service.[22] CAMEL allows the gsmSCP to block the submission (MO) or delivery (MT) of Short Messages, route messages to destinations other than that specified by the user, and perform real-time billing for the use of the service. Prior to standardized CAMEL control of the Short Message Service, IN control relied on switch vendor specific extensions to the Intelligent Network Application Part (INAP) of SS7.

Vulnerability #

SIM Swap Scam (SS7 hack) is a type of fraud that involves a criminal registering an existing number of a cellular company’s client on a new SIM card, that allows you to make and receive calls, SMSes, etc.). They usually do this in order to intercept notifications and One-Time password, that are sent to the Mobile Device

More Information#

There might be more information for this subject on one of the following:

• Instant Messaging
• Mobile TAN
• NIST.SP.800-63C
• SMS
• SS7 hack
• Short Message Service Center
• Signalling System No. 7
• Subscriber Identification Module

---

• [#1] - Short Message Service - based on information obtained 2013-04-10