- SMS sign-in links rely on possession alone, leaving private accounts dangerously exposed
- Weak tokens allow attackers to guess valid links and access other users ‘ accounts
- Unencrypted text messages remain a fragile foundation for account authentication
Many online services now rely on sign-in links or codes delivered through text messages instead of traditional passwords, which reduces steps during account access and avoids storing password databases, which attackers often breach.
Despite the convenience, SMS remains an unencrypted communication channel, which makes it vulnerable to interception, reuse, and long-term exposure.
And now, a new technical review has examined more than 322,000 unique URLs drawn from over 33 million SMS messages tied to more than 30,000 phone numbers, finding the messages linked to at least 177 digital services, including platforms offering insurance quotes, job listings, and personal referrals.
Convenient but at what cost?
Even within a limited observation window using public SMS gateways, the review identified repeated exposure of sensitive user data across hundreds of service endpoints.
The main security weakness involved authentication systems that treated possession of an SMS-delivered URL as sufficient proof of identity.
Anyone who obtained such a link could access private user information without further verification, which often included dates of birth, banking details, and credit-related records.
The researchers also observed that 125 services used tokens with low entropy, which made it possible to guess valid links by altering characters.
Some links remained active for months or even years, extending risk well beyond the initial login attempt.
In addition, mismatches between visible interface elements and backend data requests caused unnecessary overfetching of personal information.
The number of affected services is likely understated, given the narrow visibility provided by public SMS gateways.
SMS traffic travels without encryption, and prior disclosures have shown that stored text messages can remain accessible long after delivery.
Despite these known limits, SMS-based authentication continues to expand due to perceived convenience and reduced reliance on password storage.
Of roughly 150 providers contacted during the study, only 18 acknowledged the reported weaknesses, and even fewer implemented corrective actions.
Those changes reportedly reduced exposure for tens of millions of users, although most services offered no public response.
User-side defenses, such as a firewall, do little to reduce risks created by flawed authentication logic.
Similarly, malware removal tools offer little protection when access requires nothing more than a valid link.
The findings raise questions about how identity theft protection services assess threats that stem from design choices rather than direct account compromise.
These issues highlight a structural reliance on service providers to fix weaknesses that remain largely invisible to affected users.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
