The SMS Scam: Why Your 2FA Strategy is an Open Goal for Hackers

Breaking News: SS7 Is Still Rubbish, and Your Business Is Still Using It

You’d think, in the year of our lord 2025, that the world would have moved on from using SMS as a secure communications channel. But no—thanks to legacy telco infrastructure, security theatre, and sheer apathy, SMS is still holding up authentication systems like it’s not made of string and hope.

And now? Hackers are openly flogging a zero-day SS7 exploit on underground forums for the price of a dodgy laptop and a few rounds at Wetherspoons. That’s right. For five thousand dollars, someone can allegedly intercept your SMS messages, track your team’s location, and reroute your calls—all without touching your actual device.

This isn’t just a wake-up call. This is your front door being kicked in while your business is still proudly authenticating accounts via text message.

What the Hell is SS7?

SS7, short for Signalling System No. 7, is the protocol suite that telecom operators use to talk to each other. Created in the 1970s (yes, really), it was designed in a simpler time when the biggest threat to phone networks was someone picking up the wrong line at the switchboard.

Its job is to handle call setup, SMS routing, roaming updates, and other back-end magic so your phone works anywhere. The flaw? There’s no real security baked in. Every major telecom operator trusted the others like it was the United Nations of signalling protocols. And we all know how that kind of trust goes.

What Can an Attacker Do with SS7 Access?

With SS7 access, an attacker doesn’t need your phone or your password. They can intercept your SMS messages, including banking OTPs, login codes, and verification messages. They can reroute or listen to calls, silently forwarding them to another number. They can track your phone in real time, pinpointing your location down to the cell tower. And they can bypass two-factor authentication altogether, because your bank, email, or Microsoft 365 login is still sending codes via SMS.

It’s a surveillance dream. Or a hacker’s playground. Either way, it’s your problem if you’re still relying on SMS for critical services.

The “Zero-Day” That Lit the Fuse

In early May 2025, a report by Cybersecurity News detailed dark-web posts advertising an SS7 exploit as a packaged toolkit. For five grand, buyers got an unpatched SS7 gateway vulnerability (allegedly a zero-day), scanning tools, target lists, and full exploitation code.

According to the listing, any telco using default routing setups is fair game. A handful of security researchers backed this up as plausible, although no telecom has confirmed the flaw. But then again—do they ever?

And let’s be honest: SS7 doesn't need a new zero-day to be dangerous. The entire protocol has been a sieve for years.

This Isn’t New – We’ve Been Screaming About It for a Decade

Remember when O2 in Germany had customer accounts drained in 2017 because attackers used SS7 to intercept SMS-based banking codes? Wired covered it. The banks knew. The telcos knew. But here we are, eight years later, still sending login codes over a protocol that couldn’t secure a biscuit tin.

Or Vodafone in the UK, who in 2016 got caught up in surveillance claims involving rogue SS7 access routes from abroad. And if you thought your business mobile number was just for calls, think again. SS7 has been used to track politicians, journalists, and high-level executives for years.

The EFF called it out way back then: SS7 is fundamentally broken, and telcos are pretending it's fine.

Why SMBs Should Panic Just a Little

Still think this is a nation-state problem? Think again. SS7 exploits are low-tech and increasingly low-cost. That makes them perfect for corporate espionage, listening in on negotiations, sales pitches, or sensitive boardroom discussions. They’re perfect for credential theft, like stealing OTPs for Microsoft 365, banking, HMRC, and more. They’re ideal for location stalking, tracking key personnel without their knowledge. And of course, SMS phishing gets easier when attackers can intercept legitimate codes and inject malicious ones.

You don’t need to be on MI5’s target list to be interesting. Maybe you just signed a big contract. Maybe you’ve got competitors with fewer ethics than brain cells. Or maybe your payroll provider uses SMS OTPs and just got breached.

Whatever the reason, you’re not invisible, and SMS is not security.

SMS 2FA: A Security Measure That’s Outlived Its Usefulness

Text-message-based two-factor authentication was fine in 2011 when the biggest cyber threat was a dodgy Java plugin. In 2025? It’s security theatre. SMS is sent in plaintext, with no encryption. It’s as secure as shouting your login code across a crowded pub. It’s easy to reroute. SS7 lets attackers forward your messages without you knowing. SIM-swap fraud still exists, and when combined with an SS7 intercept, you’re wide open. And mobile numbers are too public. Yours is on every business card, email signature, and website contact form. It’s practically your username.

And yet, UK businesses—especially SMBs—still treat SMS OTP like it's the gold standard. Stop. Now.

Alternatives That Don’t Suck

If you’re still using SMS for anything remotely sensitive, it’s time to bin it and move to something less 1970s. Use a TOTP app like Google Authenticator, Microsoft Authenticator, or Authy. These generate codes on-device, never travel over the network, and work offline. Or go for push notifications from Duo, Okta, or Microsoft Authenticator. They send an encrypted message directly to your phone—no SMS, no SS7, no faff.

Want to really level up? Try FIDO2 hardware keys like YubiKey or Feitian. Or use biometric login with supported passkey platforms. Modern browsers and Microsoft 365 already support passwordless login. It’s fast, secure, and doesn’t rely on a flaky mobile signal.

Veritasium Video: Watch the Horror Show

In a standout demonstration, Veritasium's Derek Muller teamed up with Linus Tech Tips to show just how easy it is to hijack SMS messages using SS7. The video, titled "Exposing The Flaw In Our Phone System," lays it bare. Minimal information is required. Full message interception is possible. Real-time location tracking happens without you even noticing. If that doesn’t make you delete your reliance on SMS, you may want to check your pulse.

Telcos, Get in the Bin

Let’s also take a moment to recognise the true MVPs of this mess—the telcos who, despite years of warnings, still route everything through SS7 without effective filtering, rate-limiting, or firewalls.

Sure, some providers claim to have SS7 firewalls now. But guess what? They’re inconsistent, unregulated, and mostly lip service. The UK’s own National Cyber Security Centre has gently nudged telcos to act for years. The Mobile UK association won’t even use the word SS7 in public statements. That’s how committed they are to fixing it.

Final Word: You Don’t Get to Act Surprised Anymore

This is not new. The warnings have been in plain sight for years. But if you’re reading this and still allowing your payroll system, CRM, bank, or user logins to depend on SMS—you are the breach waiting to happen.

The SS7 zero-day story just gives us a convenient headline to yell under. But the point is bigger: SMS 2FA is broken. It cannot be fixed. And continuing to use it in 2025 is about as smart as securing your front door with a shoelace and some chewing gum.

If your MSP is still enabling it, sack them. If your cloud provider only supports it, demand better. And if your staff are stuck in the "it’s easier" mindset, remind them what’s easier than 2FA: losing the company laptop, the bank account, and the client list all in one go.