It seems like SMS is more vulnerable than email when it comes to security. Phone numbers can be compromised through SIM swapping, while emails—if secured properly—offer more encryption and security options.
So why do Canadian banks insist on using a telecom provider for authentication instead of allowing 2FA through email, which at least has basic encryption?
My RBC account doesn’t use SMS. They do authentication through their own app instead.
TERRY1 said:
My RBC account doesn’t use SMS. They do authentication through their own app instead.
That’s definitely better than SMS or email. But using an industry-standard 2FA app would be even more secure since the codes are generated offline.
It’s harder to permanently obtain a phone number than it is to create multiple email addresses.
Jefferson said:
It’s harder to permanently obtain a phone number than it is to create multiple email addresses.
But there are serious concerns with SIM swapping and phone number takeovers.
Jefferson said:
It’s harder to permanently obtain a phone number than it is to create multiple email addresses.
I’d still argue that email is more secure for both transmission and account protection.
Losing access to an email account is often user error. But when a phone number gets transferred to a new SIM, it’s usually due to social engineering tactics used on both the user and telecom employees.
It’s much easier to gain access to someone’s email than their phone.
Ronald said:
It’s much easier to gain access to someone’s email than their phone.
You’d need my Yubikey to access my email, but someone could trick my phone provider into a SIM swap.
Also, mobile carriers have been hit with security breaches recently, making phone numbers more vulnerable.
@Han
This is exactly why I think banks are oversimplifying security. People are capable of learning if the information is presented correctly. Instead of misleading customers, banks should invest in better education tools—like infographics or actual security specialists teaching their teams, instead of relying on scripts.
@Han
Most people don’t have a Yubikey, though. That’s the problem.
Ronald said:
It’s much easier to gain access to someone’s email than their phone.
That’s not entirely true. Phone numbers can be hijacked through SIM swaps or intercepted using rogue cell towers.
Text messages aren’t encrypted in storage and often use only basic encryption in transit. On the other hand, email is at least transmitted over SSL, making it harder to intercept.
@Vic
Emails aren’t encrypted either. Security depends on the email provider. But email wasn’t originally designed to be secure.
beams said:
@Vic
Emails aren’t encrypted either. Security depends on the email provider. But email wasn’t originally designed to be secure.
True, but most major email providers now encrypt emails in transit. The actual content may or may not be encrypted on their servers, though.
@Vic
All the risks you mentioned are much harder to execute than simply hacking into an email account.
Ronald said:
@Vic
All the risks you mentioned are much harder to execute than simply hacking into an email account.
Maybe, but social engineering a phone provider is way easier than breaking into an email—especially if the user follows good security practices.
@Vic
You’re thinking like someone who knows tech. The average person falls for phishing and social engineering attacks all the time.
Scammers can find a lot of personal info online and use it for email account takeovers. And social engineering a telecom company is still much easier than setting up a rogue cell tower to intercept SMS.
@Ronald
That’s fair. But social engineering works on both phone providers and email accounts. Neither is perfect.
It’s probably just because more people check their texts faster than their emails.
Dexter said:
It’s probably just because more people check their texts faster than their emails.
That makes sense, but banks should stop telling people SMS is more secure. As an IT professional, that feels misleading.
@Vic
Google says SMS is more secure than email because it’s end-to-end encrypted through cellular networks.