Hidden threats SMS: cellular operator knows too much

Hidden threats SMS: cellular operator knows too much

We talk about the potential threat to security and privacy when using SMS.


Who first encountered a mobile phone, in addition to calls, found out about the presence of short text messages. And if initially messages were used more often to exchange information without the participation of a live operator (we remember the pager), now they have become the main tool for notifications and verification.

We conducted a thematic survey in our telegram channel :

Result: 87% use SMS . Not everyone is obvious, but the answer “ Only for receiving notifications ” threatens privacy even more than SMS correspondence with someone who does not have instant messengers. Congratulating a relative on holidays, you wonder what you are writing about. Who sends notifications - no.

The sample is modest, but in large numbers the difference will be insignificant.

Threat # 1: Unauthorized expenses

Regularly appear stories about automatic subscriptions to paid services. Last month, on Habré talked about Megaphone :

A year ago, about MTS on Medusa :

To understand the scale of the problem:

Threat # 2: Account Security

You lose your SIM-card, you apply your passport to the salon of a cellular operator, an employee issues a new card with your number in a minute. An ordinary script? He can do the same thing of his own free will without your knowledge, if the benefit exceeds the consequences and the likelihood of punishment.

But it is noticeably more popular reissuing SIM-cards with a fake power of attorney . Realizing the problem, cellular operators offer to protect themselves by prohibiting actions on behalf of subscriber by proxy. Although you could solve the problem globally by setting a default ban.

Once in the wrong hands, your number becomes the key to mail, instant messengers, and a variety of payment instruments. That is, everywhere, where access recovery or verification via SMS is used.

The relatively good news is that most modern banks are able to track the fact of a SIM-card change, which means they will not be allowed into the Internet bank, and will not send an online payment confirmation code. At least until you confirm the change of card in the office or by phone. But do not forget that the operator’s records for the “Spring package” are kept for six months, and there, among other things, there are your answers to the “secret questions”.

Security agencies can also take control of your SMS, which we told about before. No re-issue of the SIM card and completely transparent to the subscriber.

Threat 3: Privacy

Here is the most interesting.

Notifications from companies : online services, restaurants, clubs, clinics, shops, delivery services, car sharing. Many sign their messages, which means you can immediately determine which services the client uses. How much personal information is contained in such messages, you can submit yourself.

Notifications from banks . From such messages you can get information:

• on account balances;
  • on withdrawals and deposits in various ATMs;
  • about your total turnover for any period;
  • about deposits: amount, term, interest paid;
  • on approved loans, payments on them and debts;
  • about the issued cards, about a part of their numbers, and sometimes a part or the whole pin-code;   • about all transactions of the user, his purchases;
  • about paying bills;
  • about transfers to other people, including their names and account numbers.

And so what the operator keeps is not protected by any “banking secrecy.”

The collected information allows you to create a thorough and personalized customer profile. Analytics does not require a lot of resources: textual information on templates, keywords and the type of addressee is easily processed by algorithms.

This profile provides almost unlimited opportunities for the operator and anyone else who has received unauthorized access, including database leakage.

About information leaks at @dataleak

Open your SMS and see what information you share with the operator in the clear.

How many SMS archives are stored? According to Mobile-Review Investigation - 3 years, according to information Maxim Katz - at least 2 years.

Tearing off the needle SMS - it will not be easy

Financial Operations

Moving to the use of Push-notifications instead of SMS.
Example scenario from Alfa-Bank:

A similar procedure is available in most other banks with mobile applications.

Login confirmations

We use verification applications in the smartphone (Google Authenticator and analogs), smart cards, tokens, or at least a confirmation by e-mail of a reliable mail service.


Anyone with whom you communicate via SMS can be transplanted to secure or relatively secure foreign messengers. Show them in person that using messengers is not scary or painful.

Two more radical options

For discussion.

Using a foreign SIM card
A few doubts about the reliability of this option:

  • Are these SMS available in open form to a local operator that serves a foreign number when roaming?
  • Stores and should he keep them legally?
  • Do I have to provide information about messages to such numbers upon request?

If someone wants to talk about the “inner kitchen” of these questions, but is not ready to do this in public comments, you can anonymously write a telegram-bot to our telegram marked "for Habr". By your permission, we will add impersonal information to the article.

Full SMS Rejection
It is hard to imagine how to live with it. But in our vote, this option scored 13% ...

Will you be able to completely refuse SMS?

Source text: Hidden threats SMS: cellular operator knows too much