SMS in the clear - GIF
We created a GIF demo to illustrate how text messages passing through a telephone company network are visible in plaintext. As many beginner participants are new to seeing a terminal interface, we recommend narrating over this GIF, and giving learners some context as to what's happening. You might want to use this GIF for explaining how end-to-end encrypted messaging apps can be helpful in preventing prying eyes from seeing the content of messages. With such access, an attacker can also spoof elements of the network to divert the texts. The blurred areas block the phone number.
In this scenario, the facilitator can make it clear that the eavesdropper has to have access to the "Telco Network" (SS7). Though this can sound like a limited circle of people who can access these texts, it is not as limited as people might think. Access to this network can and is bought by many third-party services.
Suggested questions to explore with learners:
- What kind of information do people send over SMS? What are some examples of information that is sensitive?
- What is visible to an eavesdropper?
- What is visible to a telephone company?
- How many people might have access to this telephone company data?
- Why might you want to use end-to-end encrypted messaging instead of SMS?
This GIF can also be used to spur a discussion among learners for evaluating whether SMS-based two-factor authentication is a good option for them.
Facilitators should exercise a harm reduction framework with this point—if participants only have SMS-based two-factor authentication "Something you know, and something you have." Login systems that require only a username and password risk being broken when someone else can obtain (or guess) those pieces of information. Services...Read more available to them, elaborating on the insecurity of SMS can be unhelpful and counterproductive. Helping learners to achieve some security is better than perfect security.