The IT Nerd

After I posted this story on a client of mine who unfortunately was the victim of a SIM Swap Attack, I got a couple of emails asking why I said this:

Now while I was there, I helped my client to not only change his banking password as he was having difficulty doing that, but enable push notification based two factor authentication. I did that because a SIM Swap Attack relies on the target having two factor authentication codes coming over text message. If they come via push notification, then a SIM Swap Attack would be totally ineffective as those notifications are not connected to the SIM. In fact, I encourage anyone who reads this to see if you can move any two factor authentication codes to push notifications as a means to mitigate an attack like this should it happen to you.

Specially, they were asking about while they should switch to using push notifications for two factor authentication rather than relying on a text message. On the surface they seem to be the same. Both are messages that pop on your phone. Thus I can see why people would thing that they are the same. But there are a couple important differences.

A text message is sent over the air and is tied to your phone number. This is why SIM Swap Scams have become pervasive. Because if a threat actor already has your password to say your online bank account, and can get control of your SIM by swapping it to a SIM that they can control because the bank account requires you to type in a code that they send by text message, they can access your bank account. Thus it makes text messaging completely insecure for securing your online accounts. To go down the rabbit hole further, text messages have other liabilities:

• Your cellular carrier can see your text messages as they are completely unencrypted. So if you’re talking about anything sensitive or confidential via text message, that’s not a good idea.
• Criminals and the policecan see and intercept your text messages for the same reason as the previous point.

So before I get to why push notifications are the better way to go, let me get to messaging apps and standards like iMessage, RCS, Signal, WhatsApp and the like. iMessage is end to end encrypted. So anything that is sent over iMessage is going to be secure. That’s great but we live in a world where there are people who don’t use iPhones. So that’s not an option. RCS is what Android phones have been using as their default messaging standard, and that’s supported on iPhones. Thus isn’t that an option? No. Currently RCS support on iPhone doesn’t do encryption in the same way that iMessage does. So that’s a non-starter for authentication purposes. But that will change shortly. Having said that, some of what RCS supports depends on what cellular carriers and your handset manufacturer choose to support. So if you’re on a carrier that doesn’t support encryption of RCS messages, you’re out of luck. As for third party messaging apps like WhatsApp or Signal, they may or may not support encryption, but that means that it’s one more app that a bank for example would have to support.

This is where push notifications come in. Apple has APNS or Apple Push Notification Service. And there’s GCM or Google Cloud Messaging. Both create a 1 to 1 relationship with the device and not the SIM card. So a threat actor could execute a SIM Swap Attack, but be no further ahead as the two factor authentication codes are going to the device. On top of that, messages are encrypted in transit. Making this the better option for sending sensitive information like two factor authentication codes. Another option for app developers is to implement push notification support via Firebase. This is Google’s standard for the same thing as APNS and GCM. The thing is that it is cross platform. So you can reach Android and iOS users easily. And the other thing is that it too is encrypted. So it is secure while at the same time is easier to implement on both iOS and Android.

Now using push notifications should be something that any app developer that uses two factor authentication codes for any reason should implement ASAP while at the same time deprecating support for text messaging. Canadian Imperial Bank Of Commerce for example has sort of done this by having support for push notifications as an option. But they still for whatever reason support text messaging. This needs to change because if the most if not every app delivers two factor authentication codes this way, the world will be a safer place and SIM Swap Attacks will simply die because they simply will not work.

What do you think? Should consumers demand better from app developers when it comes to the delivery of two factor authentication codes? Leave a comment below and share your thoughts.

This entry was posted on April 5, 2025 at 3:59 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.