You may not want Facebook seeing every message you send, but standard SMS text messages aren’t any better. In fact, they’re even worse.
SMS text messages are not private or secure because SMS does not support end-to-end encryption. End-to-end encryption ensures that only you and the intended recipient can read a message’s contents.
You might think that switching from Facebook Messenger to old-fashioned text messages would help protect your privacy. But standard SMS text messages aren’t very private or secure. SMS is like fax—an old, outdated standard that refuses to go away.
With SMS, messages you send are not end-to-end encrypted. Your cellular provider can see the contents of messages you send and receive. Those messages are stored on your cellular provider’s systems—so, instead of a tech company like Facebook seeing your messages, your cellular provider can see your messages.
Cellular carriers store the contents of those messages for various amounts of time. Messages are often only retained for several days, but they store metadata (which number sent a message to which number, and at what time) for even longer. These records could be subject to subpoena in legal proceedings—for example, text message records are a common form of evidence in divorce cases.
Compare this to an end-to-end encrypted chat app like Signal. Signal doesn’t have the contents of your communications. Signal doesn’t even know who you’re talking to. Your conversation data is only stored on your device and the device of the person you’re talking to—that’s it.
That aside, should you trust your cellular provider with your conversations? Well, back in 2019, AT&T, Sprint, and T-Mobile were all revealed to be selling customer location data to aggregators. It was used by everyone from bail bondsmen to rogue bounty hunters. (After this was reported in the news, the cellular carriers promised to stop.)
Do you want those companies to see all the contents of your personal conversations?
But SMS messages are used for security, right? There’s a reason every bank and financial institution relies on SMS messages to verify your identity—right?
Well, yes, there is a reason. But that reason isn’t because of security. It’s just that everyone has a phone number. Requiring confirmation via SMS adds some additional security. Even if SMS isn’t particularly secure, it at least ensures that an attacker has to intercept an SMS message in addition to typing in your password.
SMS messages can be intercepted. Mobile phone networks around the world are connected to each other through the Signaling System No 7 (SS7) protocol. This is how your phone can connect to a cellular network and make and receive calls, even when you’re in another country on the other side of the world.
The SS7 system has been repeatedly attacked by hackers who have snooped on SMS messages or intercepted them. This is particularly useful when compromising bank accounts, for example—the attackers can snoop on the verification codes that are generally sent via SMS, use them to access bank accounts, and drain them.
This is why security professionals have recommended against using SMS for two-factor authentication. An app that generates codes on your device or a physical security key is much more bulletproof. (However, if SMS is the only option you have available, SMS is better than nothing.)
Governments around the world have access to “stingrays,” devices that essentially impersonate a cellular tower. When placed near your physical location, these trick your phone into connecting to them (as your phone would connect to a normal cellular tower). The stingray device can then track your movements and see your SMS text messages—just like your cellular carrier can.
Beyond local monitoring, SMS messages can also be swept up in larger surveillance systems. According to documents released by Edward Snowden back in 2014, the NSA was, at the time, collecting over 200 million text messages a day from around the globe.
Other countries’ intelligence services also have access to stingrays and SMS-monitoring technology, so it’s clear why encrypted communication apps like Signal and Telegram are especially popular among activists living under repressive regimes. For example, Telegram and Signal are banned in Iran.
Beyond SMS, phone numbers actually have very poor security—at the carrier level. A scammer can call your cellular carrier or go into a store and impersonate you. If the scammer has enough details and can trick your carrier’s customer service representatives, they can get control over your phone number. They may have the carrier “port out” your phone number to a different cellular carrier—just as you’d do if you were switching to another cellular provider. Or, they may have the carrier issue a new SIM card tied to your phone number and deactivate your existing SIM card, removing access to your phone number.
Now the attacker would have your phone number. With that, they can get access to accounts protected by SMS-based two-factor authentication. For an individual scammer, tricking a customer service person is easier than hacking SS7, after all. This is called a “port-out scam” or “SIM swapping attack.”
You can often protect your phone number by adding extra PINs and security features with your cellular provider. Check with your cellular provider to see what security features they offer to protect against port-out scams.
This has happened to quite a few people—enough that the FCC and Better Business Bureau have put out advisories warning about this scam.
The Messages app on iPhone supports both SMS and Apple’s own iMessage service. On Android, more and more Android phones are gaining support for the more modern Rich Communication Services (RCS) standard. Both are designed to silently “upgrade” text message conversations to more modern, secure ones when both people are using devices that support them. So how do they compare to SMS?
Apple’s iMessage piggy-backs on SMS in a sense, using phone numbers as identifiers. If both you and the person you want to text have iPhones and have enabled iMessage, any text you send will be sent as an iMessage instead. These are end-to-end encrypted and sent through Apple’s servers. You’ll know iMessage is being used because the messages will have blue bubbles. If you see green bubbles instead, the Messages app is using SMS instead—because you’re messaging someone without iMessage, likely a person who is an Android user.
The RCS standard being pushed for Android users—think of it as the Google/Android equivalent to Apple’s iMessage—did not support end-to-end encryption as of January 2021. As of November 2020, Google was working on adding end-to-end encryption to RCS. That means, even with that fancy new RCS system on your Android phone, your cellular carrier can still see the contents of the messages you send, just like with SMS.
Let’s quickly summarize the problems with SMS, and compare it to a secure, end-to-end encrypted chat app like Signal.
With SMS:
With Signal, for example:
We used Signal as the example here as the contrast is so stark—Signal is the most widely recommended private chat app, with always-on end-to-end encryption.
If you have an iPhone, communicating with iMessage is much more private and secure than using plain old SMS. Hopefully, Android users will one day have secure end-to-end encrypted messages built into their devices after improvements are made to RCS. Unfortunately, iMessage and RCS aren’t compatible with each other, so iPhones and Android phones will have to communicate over SMS—or switch to different chat apps that aren’t built-in.
Other chat apps are an option, too. Telegram is popular, although it doesn’t use end-to-end encryption by default. WhatsApp at least uses end-to-end encryption by default, unlike Facebook Messenger—if you trust a Facebook-operated chat app. But even Facebook Messenger is arguably more secure than SMS—you’re trusting Facebook with your messages, but at least you don’t have to worry about the problems in the ancient, creaky old SS7 protocol.
For two-factor security, it’s best to avoid SMS for really critical tasks. Unfortunately, some services will fall back to SMS authentication anyway—for convenience. There are sometimes alternatives. For example, Google offers Advanced Protection for journalists, activists, business leaders, and politicians who need maximum security for their accounts, and it requires the use of a physical security key. That said, SMS-based two-factor security is still better than nothing.
SMS is just outdated technology. It clearly was not built with privacy and security in mind, and those design decisions are still with it today.
Hopefully, this will be fixed in the future. If RCS becomes more mature, gains end-to-end encryption, and is available in all Android phones—well, then all Apple would have to do is agree to make RCS compatible with iMessage in some way. Then all modern smartphones would have secure messaging that doesn’t depend on ancient protocols built-in.
For now, it’s best to avoid text messages if you’re concerned about your privacy or the security of your accounts.
Chris Hoffman is the former Editor-in-Chief of How-To Geek. Chris has personally written over 2,000 articles that have been read more than one billion times—and that’s just here at How-To Geek.
With over a decade of writing experience in the field of technology, Chris has written for a variety of publications including The New York Times, Reader’s Digest, IDG’s PCWorld, Digital Trends, and MakeUseOf. Beyond the web, his work has appeared in the print edition of The New York Times (September 9, 2019) and in PCWorld’s print magazines, specifically in the August 2013 and July 2013 editions, where his story was on the cover. He also wrote the USA’s most-saved article of 2021, according to Pocket.
Chris was a PCWorld columnist for two years. He founded PCWorld’s “World Beyond Windows” column, which covered the latest developments in open-source operating systems like Linux and Chrome OS. Beyond the column, he wrote about everything from Windows to tech travel tips.
The news he’s broken has been covered by outlets like the BBC, The Verge, Slate, Gizmodo, Engadget, TechCrunch, Digital Trends, ZDNet, The Next Web, and Techmeme. Instructional tutorials he’s written have been linked to by organizations like The New York Times, Wirecutter, Lifehacker, the BBC, CNET, Ars Technica, and John Gruber’s Daring Fireball. His roundups of new features in Windows 10 updates have been called “the most detailed, useful Windows version previews of anyone on the web” and covered by prominent Windows journalists like Paul Thurrott and Mary Jo Foley on TWiT’s Windows Weekly. His work has even appeared on the front page of Reddit.
Articles he’s written have been used as a source for everything from books like Team Human by Douglas Rushkoff, media theory professor at the City University of New York’s Queens College and CNN contributor, to university textbooks and even late-night TV shows like Comedy Central’s @midnight with Chris Hardwick.
Starting in 2015, Chris attended the Computer Electronics Show (CES) in Las Vegas for five years running. At CES 2018, he broke the news about Kodak’s “KashMiner” Bitcoin mining scheme with a viral tweet. A wave of negative publicity ensued, with coverage on BuzzFeed News, CNBC, the BBC, and TechCrunch. The company’s project was later reportedly shut down by the U.S. Securities and Exchange Commission.
In addition to his extensive writing experience, Chris has been interviewed as a technology expert on TV news and radio shows. He gave advice on dark web scans on Miami’s NBC 6, discussed Windows XP’s demise on WGN-TV’s Midday News in Chicago, and shared his CES experiences on WJR-AM’s Guy Gordon Show in Detroit.
Chris also ran MakeUseOf’s email newsletter for two years. Nearly 400,000 subscribers received the newsletter complete with a handwritten tip every day.