" secure SMS message Archives - LuxSci

Posts Tagged ‘secure SMS message’

Secure Texting: Communication’s Unicorn

Tuesday, March 5th, 2019

Does secure texting exist, or is it as elusive as a clear photo of bigfoot? To answer that question, we have to take a look at the main SMS (short message service) protocols.

The majority of the world’s texting is done using either the Global System for Mobile Communications (GSM), High Speed Packet Access (HSPA) or Long Term Evolution (LTE) standards. Under these systems, text messages are transmitted from devices to a short message service center. This center stores the messages and attempts to send them on to the recipients. If it cannot reach them, the messages are queued to be tried again later.

The Issues with SMS

The main problems with SMS messaging are that it is both unreliable and insecure.

The Reliability of SMS

Unfortunately, SMS messages are inherently unreliable. The sender does not know whether their message has been delivered, nor whether it has arrived on time. On top of this, messages can be completely lost, while others may only be received long after the were needed.

SMS Security Problems

SMS messages have issues with confidentiality and authentication, as well as a number of widely known security vulnerabilities.

Messages sent with GSM are only optionally encrypted between the mobile station and the base transceiver station. If they are encrypted, they use the A5/1 cipher, which is known to be vulnerable. This makes it possible for anyone with enough motivation to read the messages.

If that isn’t bad enough, the authentication process is also flawed. Users are authenticated by the network, but the user does not authenticate the network in return. This makes the user vulnerable to man-in-the-middle attacks.

You may think that you are safer if you use LTE, but renegotiation attacks can be used to force your phone to use GSM instead.

On top of this, there are also the dangers of SMS spoofing, sim swapping, and a variety of other security vulnerabilities. Since we can’t trust the encryption or authentication processes in SMS, it’s best to assume that any SMS you send can be intercepted and accessed.

As you can see, secure SMS is like a unicorn. It doesn’t exist, and you should never use the medium to transmit any sensitive or valuable information. Because of this, SMS messages should either be avoided or strictly controlled, particularly in tightly regulated fields like healthcare. All it takes is one message that accidentally contains ePHI, and your organization could be feeling the heavy hand of HIPAA penalties.

But I hear the term secure texting all the time…

That’s true, lots of providers refer to their offerings as secure texting. But the majority of these services aren’t using SMS. If they are, then they certainly aren’t secure and you should steer clear of anything to do with the company.

How Can Messages Be Sent Securely?

Although the standards used for SMS are lost causes, that doesn’t mean that you can’t securely exchange short written messages.

The answer? LuxSci’s SecureText.

LuxSci’s solution doesn’t send sensitive information over the standard protocols used for SMS, so you don’t have to worry about any of the security issues that surround SMS messaging.

SecureText transmits its data with TLS protection, stores its information with 256-bit AES, and data is never kept on the recipient’s device. Recipients use password-based authentication to access the information and messages are securely stored in LuxSci’s databases. Every step is safe and completely HIPAA compliant.

The best part? No one has to download yet another app to send or receive secure messages.

How Does SecureText Work?

The sender uses LuxSci’s SecureLine encryption service:

  1. They write their message in either LuxSci’s WebMail or their preferred email program.
  2. In the address field, the sender enter a special email address that is based the recipient’s phone number. For example an address of 2114367789@secure.text would send the message to a US recipient whose number is 211-436-7789. Once the sender is finished, they hit the send button.
  3. The recipient will receive a normal SMS that tells them a secure message is waiting for them. The message contains a link, which opens up their phone’s web browser:
  • If they have recently viewed another SecureText message, the new message will immediately be displayed.
  • If the recipient has used SecureText to view messages at an earlier date, they will need to enter their password before they can view the message.
  • If this is the recipient’s first SecureText message, they will need to set up a password before they can view the message.

The protected and HIPAA-compliant design of LuxSci’s SecureText makes it useful for sending ePHI in a range of different situations. It’s a great option for messaging without email.

It can be used to send appointment reminders, for general communication with patients, and to send real-time alerts that include sensitive information. All with none of the risk that comes from SMS messaging.

Want to discuss how LuxSci’s HIPAA-Compliant Texting Solutions can help your organization?  Contact Us

SIM-Swapping: Why SMS Authentication Is a Bad Idea

Thursday, October 11th, 2018

SMS authentication has been around for a while now. Sure, it’s a bit of a hassle to get those codes sent from your bank or your other accounts–especially if your phone’s in the next room–but at least it makes you feel safe.

Unfortunately, it’s nowhere near as safe as you may think. The concept of two-factor authentication is an important aspect of beefing up your security, but SMS has some major vulnerabilities which can work around the primary factor, stripping away a layer of your security and potentially making you more vulnerable than you would have been without it.

What Is SIM-swapping?

SIM-swapping is your biggest concern when it comes to SMS authentication. It involves an attacker calling up the cell-phone provider of their target and impersonating them. They tell the operator that they’ve lost their SIM card or had their phone stolen, and ask them to switch the cell phone number over to a new SIM card which they have in their possession.

All they need is a bit of social engineering skill and some of the victim’s information, which they can find through social media, data leaks or through phishing. With this personal information, they breeze past any security questions that the operator might ask. Once everything seems to be in order, the operator will assume the request is legitimate and quickly switch over the phone number to the attacker’s SIM card.

Once it has been switched over, the number is disconnected from the victim’s SIM card and all of their calls and messages are diverted to the attacker. This gives the attacker an absurd amount of power to wreak havoc on the victim’s life.

Read the rest of this post »