How a Simple SMS Message Can Test the Safety of 5 billion people

The safety of over 5 billion can now be measured by criminals using just a single SMS text message sent to a regular SIM card inside a regular mobile handset.

Let’s imagine a mobile provider named VeriziPhone with 100 million subscribers. A threat actor needs only to send one SMS with a dangerous web link to any regular VeriziPhone SIM card. If their test message doesn’t reach their own handset, they’ll try another link. Once successful, they’ve essentially gauged the network’s vulnerability for all 100 million mobile users. This enables them to launch targeted phishing attacks on companies like Cisco, Microsoft, Twilio, Okta, and Uber, or widespread phishing scams on consumers, knowing some will fall victim.

It only takes one person to trust one dangerous link inside one dangerous SMS for maximum harm to be caused. This method of testing a dangerous link’s effectiveness on any mobile network is quick, easy, and inexpensive. Given that attackers invariably test their links before executing an attack, it’s virtually impossible for operators to shield subscribers from the majority of phishing threats that matter most.

What’s the answer?

Protection is only feasible if every web link is presumed dangerous until proven safe, and authenticated each time it appears in an SMS — before being delivered to each handset. This approach is called “Zero Trust”, and it’s the gold standard of cybersecurity. Yet only FIDO keys (based on a W3C Recommendation) and MetaCert (based on a W3C Recommendation) apply the concept to web links/URLs.

While the cybersecurity industry is now obsessed with authenticating individuals for website access, service use, and software downloads, the authentication of the resources they interact with is completely ignored. Everyone is happily authenticating themselves with criminals hiding behind legitimate-looking websites.

Remember, the efficacy of any security solution for SMS can be evaluated with one SMS message being sent from a regular SIM to a regular SIM. The same can be said for MetaCert’s ‘Zero Trust SMS’ — a solution that will be realized by select subscribers on the first mobile network in the world to adopt a security solution designed for subscribers instead of operator infrastructure and revenue, by the end of February 2024 (that’s the end of this month!). I worry for other operators who decide that subscriber protection isn’t a big enough problem to address yet, because banks will undoubtedly apply pressure on them. Banks don’t own or operate any part of a telecom network, obviously, so it stands to reason that they can’t be part of the solution — unless it’s to promote a solution being offered by a cybersecurity company. I can’t image any bank allowing network operators in their country to ignore the need for subscriber protection.