Are Companies Negligent for Still Using SMS OTPs?
Picture this: Youâre sipping your morning coffee when your phone screen flashes "No SIM - Emergency Calls Only." Your stomach sinks. You try logging into your bank app, but the password fails. Same with your email. Nothing works. Then it hits you: someone else controls your digital life.
This isnât just a scary story. It happens. In 2018, former Apple engineer Rob Ross lost his life savings in minutes after a SIM swap, as reported in Cybercrime Magazineâs "Former Apple Engineer Is The Victim Of A Million Dollar SIM Card Hack". A 75-year-old from Palm Beach lost over $200,000 when a fake AT&T rep tricked him into sharing a text code, according to Hoodlineâs "Palm Beach County Woman Charged in Nationwide SIM-Swap Scam". Search "SIM swap victim" on Google, and the list grows. Itâs a worldwide problem.
Worse yet, U.S. banks often leave victims empty-handed. ConsumerReports explains in "Sophisticated wire transfer scams targeting bank customers becoming more common" that the Electronic Funds Transfer Act doesnât make banks refund losses from "authorized" fraud. The FBIâs 2024 Internet Crime Report shows SIM swap losses hit $25 million, and thatâs only whatâs reported. Many people, especially seniors, stay quiet about it.
Whatâs driving this mess? Letâs break it down with two big questions: Whatâs a SIM swap? And how does it drain your bank account?
What Is a SIM Swap?
Your SIM card, or its digital version called an eSIM, is like an ID badge for your phone. It ties your number to your device and carrier. A SIM swap happens when a thief steals that badge, moving your phone number to their device. The first clue? Your phone goes dead, showing "Emergency Calls Only."
How do they pull it off? Three main tricks:
- Impersonation: They dig up bits of your life from social media or data breaches, a method called OSINT (check out "OSINT: The Privacy and Security Blind Spot"). Then they fool your carrier into switching your number to their device.
- Inside Jobs: Shady carrier workers secretly move your number to a new device.
- Bold Moves: Thieves pretend to be carrier techs. In British Columbia, a woman lost $500,000 in bitcoin this way, per CBC News.
Once they have your number, they hold the keys to your life. Why? Because banks rely on something shaky.
The Weak Spot: SMS OTPs
Banks use SMS-based One-Time Passwords (OTPs) for logins, transfers, and password resets. Youâve done it: type your username and password, get a code texted to your phone, then enter it online. Easy, right? Also risky. If a thief grabs your number through a SIM swap, they get that code too. Then your accounts empty out, and youâre stuck watching it happen.
Itâs crazy. Your phone number turns into a weak link, like a flimsy lock on a treasure chest. The $25 million lost in 2024 shows this isnât just a theory. Still, banks cling to SMS OTPs, blaming old systems, high costs, or people not liking change. Those reasons feel weak when your money disappears, and banks can shrug it off, saying "you approved it" under the Electronic Funds Transfer Act. Act quick, and you might save your cash. Most donât.
Letâs dig deeper into why SMS OTPs are so vulnerable.
What Is an SMS, Anyway?
Think of your phone as a walkie-talkie, always quietly checking in with the nearest cell tower, saying, âIâm here!â These check-ins are called pings. They keep your phone connected for calls and texts.
A ping is like a small envelope with extra space. An SMS, or text message, is a short note that fits in that space. Instead of sending a fresh envelope, your phone slips the text into a ping itâs already sending. The tower grabs it, spots the message, and sends it to your friend.
This setup lets us send quick texts using whatâs already there. But thereâs a huge problem most people miss.
SMS Isnât Safe
SMS wasnât built to be secure. It was made for convenience. Texts are plain messages, not locked or scrambled for just you and the recipient. Carriers can read them and often save them. By design, anyone with access can peek.
Plus, texts travel using Signalling System No. 7 (SS7), a system from the 1970s meant for starting and ending calls across the global phone network. It lets you call anywhere, from next door to the other side of the world. But SS7 isnât secure by todayâs standards. A clever crook can watch, grab, or redirect your SMS OTP using an SS7 attack, without even touching your carrier or phone.
So, a key part of bank security rides on an unlocked message sent over a public road. Sound safe to you?
How Does a Bank Send an SMS?
SMS uses old phone systems, not the internet. To send a text, banks need a middleman called a gateway. Hereâs the simple path an SMS OTP takes:
- Bank makes a code.
- Sends it to an SMS Gateway Provider.
- Gateway pushes it through the global telecom network (SS7).
- Carrier drops it on your phone.
This unscrambled code passes through lots of hands. At any step, a skilled hacker can snatch it in a smart attack. The bigger the prize, the trickier they get.
Are Companies Negligent?
By 2025, we have stronger, safer ways to log in, used even by tiny websites. Sticking to SMS OTPs feels careless. The SIM swap danger isnât new; experts have warned about it forever. Countries like the UAE, Singapore, and India are dropping SMS OTPs. Groups like FINRA and the USPTO are too. Better choices are out there:
- Passkeys: They stop phishing and ditch passwords. (See "Why Passkeys Are the Future of Online Security")
- Authenticator Apps: Apps like Ente Auth give codes not tied to your number.
- Hardware Keys: Yubikeys lock things down tight.
Banks dragging their feet isnât just slow. Itâs reckless.
Take Charge and Push for Change
For You: Protect Yourself Now
- Use app-based MFA or passkeys if you can.
- Set a SIM PIN with your carrier.
- Watch out for phishing emails and fake calls (see "Donât Answer That Phone!").
- Freeze your identity (see "Protecting the Real You: Essential Steps to Protect Your Personal Data").
- Notice a SIM swap? Call your bank and the police right away.
For Banks: Step Up
- Switch to modern, safe login methods.
- Secure the whole process, including third parties.
- Put peopleâs safety over cheap fixes.
The Final Word
In 2025, using SMS OTPs isnât just old-school. Itâs a bet with your money on the line. You can guard yourself, but banks need to do better. Tell your lawmakers to push for rules that fit todayâs risks.
Remember, we may not have anything to hide, but everything to protect.
