Telstra exchange fire inadvertently proves that SMS is a terrible security token

Credit: pathdoc / Shutterstock.com

ITEM: Telstra experienced a major network outage Thursday that cut off voice services, shut down trains, delayed flights and – weirdly – sent SMSs to the wrong phones. Which is humorous until you remember that banks use SMS to confirm transactions and password resets.

All of that was the result of a fire at Telstra’s Chatswood exchange in New South Wales, which impacted communications in Sydney, Melbourne, Brisbane, Perth and Adelaide. The website AussieOutages.com reportedly fielded over 5,000 reports of service outages across the country, while airline Jetstar reported that nine of its flights had been delayed as a result of the outage. NSW TrainLink North also reported service disruptions.

And then there were reports from customers that they were receiving random SMSs from strangers. Usually, SMS delivery to the wrong person is the result of a phone glitch – iPhones and Android phones sometimes have this problem following software upgrades. But it’s not typically caused by a network outage. Even Telstra CEO Andy Penn said during his apology for the outage that it was a new one on him, reports News Corp Australia:

… Penn held a media conference to apologise, describing the messages sent to the wrong numbers as “extraordinarily unusual”.

“I’ve never known that to happen before,” he said.

Telstra said it’s investigating both the cause of the fire and the reason SMSs went astray. Penn suggested that the texts in question had been corrupted, “which resulted in potentially some of those going to the incorrect address.”

But it’s not clear how they got corrupted in the first place. Network outages are nothing new – particularly to Telstra, who is no stranger to exchange fires, let alone outages – but the impact on SMS delivery is usually a massive backlog and delivery failure, not delivery to the wrong phone.

That may not seem like a big deal in the OTT age of WhatsApp, Line and Facebook Messenger. But it’s a bit more serious than receiving requests from strangers for cake recipes. SMS is also used for remittance services across Asia, for example. And as IT News reports, SMS is commonly used as a two-factor authentication tool for things like banking services and resetting passwords. You don’t really want someone else receiving those.

IT consultant, and tech analyst Justin Warren commented on Twitter that the Telstra SMS glitch is the latest argument in favor of using alternative 2FA tools:

Indeed, it’s a wake-up call that’s been needed for a long, long time. Security experts have warned for years that SMS tokens are not all that secure. Last year, the US National Institute of Standards and Technology (NIST) said it would no longer recommend SMS-based 2FA codes for services connected to government IT systems, citing security concerns, and issued draft guidelines recommending other 2FA code-generating tools, such as apps like Google Authenticator or special USB dongles.

It will be interesting to find out just what caused Telstra’s SMS delivery to go haywire, but regardless of the findings, every organization using SMS as a security token should probably rethink that now and start looking at other 2FA tools.

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.