...it's note officially official until Brian Krebs writes about it (in the world of information security, at least). SMS isn't secure.

Oh hey there! I'm Jon Fedor and this is InCyber Regular, edition seven. I talk about cyber security issues and awareness for smaller enterprises and the cyber-curious. I also do shout-outs from my LinkedIn profile on the weekends.

In today's edition: SMS isn't secure. If you're asking, "what's SMS?" Well, let's start there.

SMS is...a mess

It's a mess *now*, at least.

SMS stands for short message service. SMS, in short is texting and the protocol for sending and receiving texts. It's one of the oldest texting technologies.

Over time, SMS has grown and expanded into multimedia message service (MMS). Both SMS and MMS have, traditionally, required a cellular plan to send and receive messages on a device. As mobile operating systems evolved other services like iMessage, for instance, grew up around SMS and marked another epoch we affectionately call, over the top (OTT) messaging services. Because they...work...over...the top of SMS (e.g. via the interwebz).

Anywho.

Last week I wrote about Motherboard's piece on $16 bucks to hack a phone in a way that the owner of the phone number doesn't know it's been hacked. Crazy.

This week, Brian Krebs, of KrebsOnSecurity.com, expanded on how big this problem is. In short, it's huge. Here's Brian's conclusion:

"...it’s probably a good idea to rethink your relationship to your phone number. It’s now plainer than ever how foolish it is to trust SMS for anything."

You're probably thinking: funny thing, bucko, it's not so easy untangle my phone number from like...everything.

Two points:

1. Stop being a baby
2. Worthwhile outcomes in life (you know, like protecting your financial future, your social security number, your kids' bank accounts etc) requires sweat; hard work.

How to un-SMS yourself

The solution is to take ownership of your phone in a way that most people won't. To take ownership in a way that no one is forcing you to.

Don't treat your phone number as an identity document a la social security number or passport etc.

Here are the steps:

1. Secure ALL online accounts with a strong password.
2. Use time-based, one time password multifactor authentication (MFA) for each of those accounts. You'll need a separate app like Google Authenticator or Microsoft's Authenticator that generate a one-time code you enter at time of login to verify your identity.
3. It's hardest to do this with email accounts. They nearly always require phone number as a backup for password reset. If you can, remove the phone as an option for backup and replace with something stronger (even a secondary email...especially if it's a ProtonMail account).
4. Some email services require a phone number when you first set them up but will allow you to remove and replace the phone number as a form of backup after the fact. Watch for this.
5. If you absolutely have to a phone number for SMS verification, get a free Google Voice number (thanks for the reminder, Matt Cameron!) and use that for any online-type accounts that require a phone number and leave you no other option.

We've known about this for oh-so-long in the security community. It's time everyone knows.

It's time to stop shaking our heads when we see folks using SMS for account verification and start taking action.

The solution starts with awareness. Get yerself in the zeitgeist, as a wise person once quipped.

Be loud. And start by getting your own house in order.

Thanks!

Well, that's it for today. I think it'd be good to show some examples of taking the above action steps. I'm going to take that away as a suggestion to work on for later.

Until next week...

If you enjoyed this or learned something feel free to forward this email. Or pass along the link to sign up for InCyber Regular. I love writing this thing for y'all and I want to keep doing it. And I want it to get better weekly. So let's make it happen already.

Have a good'un, Good Lookin'.

~Jon SMS-is-a-mess Fedor