It's Time to Move Beyond Telephony for Security
We completely agree with a recent Thomson Reuters article, "A deep dive into the growing threat of SIM swap fraud", which argues that carriers must strengthen their security to combat the rising threat of SIM swaps. We're also encouraged to see the federal government putting pressure on them to do so.
However, the article misses a critical point: the inherent, fundamental weaknesses of telephony protocols themselves. We believe it's past time to stop relying on these protocols for security chains, a problem we've highlighted before. The short version is that these systems were never built with security in mind, yet major institutions continue to use them to authenticate users.
Every day we see real-world consequences of this outdated approach—from a simple help desk call that leads to a social engineering attack to a SIM swap that drains a bank account. And to make matters worse, some institutions actually prevent users from securing their accounts with modern tools. For example, they may block the use of a Voice over IP (VoIP) number that a user has secured with a hardware key, or they may prevent you from creating and using a secured, single-use VoIP number for an account.
The Insecure Foundation of Telephony
Our concerns with using telephony protocols for security are widespread. Here's a breakdown of the core issues:
Lack of Encryption: Traditional telephone networks like the Public Switched Telephone Network (PSTN) weren't designed with encryption. Calls are transmitted as an unencrypted stream, making them easy to intercept. Anyone who grew up with party lines knows just how simple it was for someone to listen in on a conversation.
SS7 Attacks: The Signaling System No. 7 (SS7) protocol, which routes calls and texts globally, is a major vulnerability. Designed decades ago for a trusted network, it lacks modern security. Attackers with access to the SS7 network can:
- Spoof Caller ID to make a call appear to be from a trusted number.
- Intercept SMS messages, including one-time passcodes (OTPs).
- Redirect calls to their own device to steal voice-based OTPs.
- Track your physical location.
An attacker can execute these attacks with only your phone number—no need for physical access to your device.
SIM Swapping: This is a social engineering attack where a scammer tricks your carrier into transferring your phone number to a new SIM card they control. Once they have your number, they receive all your calls and texts, including crucial OTPs, and can take over your accounts.
VoIP Vulnerabilities: While newer Voice over IP (VoIP) protocols like Session Initiation Protocol (SIP) are more advanced, they aren't immune to attacks. They can be susceptible to eavesdropping if not encrypted, and they are also vulnerable to Denial of Service (DoS) attacks and SIP header manipulation, which can disrupt service or redirect calls.
A Call for a Secure Future
While we appreciate efforts to improve carrier security, the fundamental problem remains: why are we still using phones as a security tool at all?
We urge a collective effort to move toward a more secure digital authentication model. By adopting modern solutions like passkeys and hardware keys, we can prevent the theft of credentials and create a future where our identity is no longer tied to a vulnerable, outdated system. We cannot secure the future with yesterday's solutions; it's time to move forward.
Remember, we may not have anything to hide, but everything to protect.
