SMS gateway Voxox made headlines recently when a security researcher discovered layers on layers of security failures that made it possible for TechCrunch to access a database containing tens of millions of SMS messages that had been sent to users around the world by businesses - including plaintext password resets, live links for package shipping information and more sensitive data. Even worse, Voxox did not lock down the database when initially notified, so active messages containing two-factor authorization codes and other active sensitive data were visible to the TechCrunch team in real time.
When we at Virgil Security see security breaches like this, it’s painful. As security experts who’ve written about vulnerabilities in Telegram’s Passport and been selected by Twilio to support end-to-end encryption on their platform, we’re in a unique position to look at what could have been done differently and turn the situation into a teachable event for others who still have time to correct similar mistakes in their own systems.
Two factor authorization is seen as a security mechanism to make apps and websites more secure. But ironically, as the world moves from SMS and phone calls to IP-based messaging, these texts are the weakest link in an increasingly secure communication chain. They represent one very visible data point as the communications platform as a service (CPaaS) market shifts from what’s known as CPaaS 1.0 to CPaaS 2.0.
Whereas most CPasS 1.0 platforms were primarily adding legacy Public Switched Telephone Network (PSTN) communications like SMS text messaging and phone calls to applications through APIs, CPaaS 2.0 takes advantage of the huge technological leaps we’ve made in the last decade to build IP-based seamless communication experiences across video, voice, chat, file sharing, and more.
A recent Gartner Market Trends report projected that by 2020, 30% of enterprises will embed communications into digital processes using APIs from CPaaS vendors, up from less than 5% in 2017, according to Twilio.
Recent acquisitions like Vonage’s purchase of TokBox signal that the major players believe in a complete cloud-based communications suite and are shifting from a telco utility play to an engagement play.
But the advantages of CPaaS extend beyond the product features. In contrast to SMS and voice calls, IP-based channels can actually be secured to protect business and user data.
Concern about lax security in tech is something that’s easy to chalk up to fear mongering or categorize as just a cost of doing business. That’s absolutely not the case with SMS vs. IP-based messaging. The differences are stark and significant.
SMS messages can be read by anyone who wants to read them - and they are. In fact, SMS-based two-factor authentication has been the vulnerable point that made hacks targeting otherwise secure systems like Reddit, Coinbase (performed by researchers, not criminals) and Telegram all possible.
Why is SMS so entrenched? It’s mostly a matter of convenience all around: for end-users, enterprises and telcos protecting their market share.
Open rates are insanely high and most texts are read within 3 minutes. Up until recently, alternatives with the same ease-of-use and engagement just didn’t exist. IP messaging tools for enterprise use needed to be custom-built and often times were a pain to use for companies and end-users.
In fact, many doctors are actually using third party apps like WhatsApp in a medical setting because they know SMS isn’t secure but there isn’t a better option provided to them by the hospitals that actually works.
Messaging apps like WhatsApp, Signal and Hushed have proven that it’s possible to build a scalable, consumer app with IP messaging and video. Even better? They’re also secured with end-to-end encryption and other privacy features that SMS will never have.
And now, the CPaaS can benefit from these advances by providing enterprises with user-friendly communication tools that aren’t stuck in the 1990s in a technological sense.
Unfortunately, security still remains a second thought though for the CPaaS market. For example, CPaaS providers integrated WhatsApp’s new Business API into their platforms, which is great from a user experience standpoint. But unfortunately they’re breaking WhatsApp’s end-to-end encryption as soon as it enters the CPaaS company, which allows the messages to be decrypted and stored by the CPaaS companies.
It doesn’t have to be this way, though. Today, it’s possible with powerful cryptography technology to secure data and identities without inconveniencing the user (or developer).
Twilio, Nexmo and PubNub are offering end-to-end encryption as features for developers to build into their products. Next, platforms will take it a step further and build end-to-end encryption into their product as a core feature, on par with where the consumer market has been for years.
As we move into CPaaS 2.0, now is the time for the market leaders to build a firm foundation for IP-based communication in a way that wasn’t done for PSTN-based communications, and for which users, companies and employees are currently paying the price with leaked messages and data breaches globally.
Virgil Security has integrated SDKs to make it easy for developers to build end-to-end encrypted messaging on top of platforms like Twilio, Nexmo, PubNub and Firebase. To learn more, explore our blog or sign up for a developer account today.