- SMS login links rely solely on possession, leaving private accounts dangerously exposed
- Weak tokens allow attackers to guess valid links and access other users’ accounts
- Unencrypted text messages remain a weak basis for account authentication
Many online services now rely on login links or codes delivered via text messages instead of traditional passwords, reducing steps during account access and preventing the storage of password databases, which attackers often breach.
Despite its convenience, SMS remains an unencrypted communication channel, making it vulnerable to interception, reuse, and long-term exposure.
And now, a new technical review has examined more than 322,000 unique URLs extracted from more than 33 million SMS messages linked to more than 30,000 phone numbers, finding the messages linked to at least 177 digital services, including platforms that offer insurance quotes, job offers and personal references.
Convenient but at what cost?
Even within a limited observation window using public SMS gateways, the review identified repeated exposure of sensitive user data across hundreds of service endpoints.
The main security weakness involved authentication systems that considered possession of a URL sent by SMS as sufficient proof of identity.
Anyone who obtained such a link could access the user’s private information without further verification, which often included dates of birth, banking details, and credit-related records.
The researchers also observed that 125 services used tokens with low entropy, which allowed valid links to be guessed by altering the characters.
Some links remained active for months or even years, extending the risk far beyond the initial login attempt.
Additionally, discrepancies between visible interface elements and backend data requests led to unnecessary over-searching for personal information.
The number of affected services is likely to be underestimated, given the poor visibility offered by public SMS portals.
SMS traffic travels without encryption and previous revelations have shown that stored text messages can remain accessible long after delivery.
Despite these known limits, SMS-based authentication continues to expand due to perceived convenience and reduced reliance on password storage.
Of approximately 150 suppliers contacted during the study, only 18 acknowledged the reported weaknesses and even fewer implemented corrective actions.
Those changes reportedly reduced exposure for tens of millions of users, although most services offered no public response.
User-side defenses, such as a firewall, do little to reduce the risks created by faulty authentication logic.
Similarly, malware removal tools offer little protection when access requires nothing more than a valid link.
The findings raise questions about how identity theft protection services assess threats that arise from design choices rather than direct account compromise.
These issues highlight a structural dependence on service providers to correct weaknesses that remain largely invisible to affected users.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
