Websites that authenticate users through links and codes sent in text messages are imperiling the privacy of millions of people, leaving them vulnerable to scams, identity theft, and other crimes, recently published research has found.
The links are sent to people seeking a range of services, including those offering insurance quotes, job listings, and referrals for pet sitters and tutors. To eliminate the hassle of collecting usernames and passwords—and for users to create and enter them—many such services instead require users to provide a cell phone number when signing up for an account. The services then send authentication links or passcodes by SMS when the users want to log in.
Easy to execute at scale
A paper published last week has found more than 700 endpoints delivering such texts on behalf of more than 175 services that put user security and privacy at risk. One practice that jeopardizes users is the use of links that are easily enumerated, meaning scammers can guess them by simply modifying the security token, which usually appears at the right of a URL. By incrementing or randomly guessing the token—for instance, by first changing 123 to 124 or ABC to ABD and so on—the researchers were able to access accounts belonging to other users. From there, the researchers could view personal details, such as partially completed insurance applications.
This is an important topic that highlights the vulnerabilities in our digital security practices. It’s crucial for users to be aware of these risks and for companies to seek safer alternatives. Thank you for shedding light on this issue!
absolutely is! It’s interesting to note that many people are unaware of these risks, often assuming that SMS verification is a secure method. Exploring alternative authentication methods, like app-based or hardware tokens, could significantly enhance security.
You’re right! Many users do overlook these risks, thinking SMS is a secure way to authenticate. It’s crucial for everyone to be educated about more secure alternatives, like authenticator apps, to better protect their accounts.
true that SMS authentication is often perceived as safe, but it’s good to remember that methods like two-factor authentication apps or hardware tokens can offer much stronger security. Awareness of these alternatives can help users make better choices for protecting their accounts.