When two-factor authentication (2FA) first went mainstream, SMS verification codes seemed like a simple and effective solution. You log in with your password, a code arrives on your phone and you type it in. Even if someone steals your password, they cannot get in without your phone. Simple, right?
Unfortunately, SMS-based 2FA has become one of the weakest links in account security. Attackers have developed multiple reliable methods to intercept or steal SMS codes, and these techniques are now widely used in targeted attacks against individuals and organizations. In 2026, relying on SMS for your most important accounts is a risk you should understand and address.
The mechanism is straightforward. When you log in to a service with your password, the server generates a short numeric code (typically 6 digits) and sends it to the phone number registered on your account via the SMS network. You enter the code into the login form within a time window (usually 30 to 60 seconds) and the server verifies it matches. If it does, you are in.
The security assumption is simple: only the person holding the physical phone can receive the SMS. But that assumption has been broken in multiple ways.
SIM swapping is the most common and well-documented attack against SMS 2FA. The attacker contacts your mobile carrier — by phone, online chat or even in person at a store — and convinces the representative to transfer your phone number to a new SIM card that the attacker controls.
The social engineering is surprisingly straightforward. The attacker provides personal information gathered from data breaches, social media or public records: your name, date of birth, address and the last four digits of your Social Security number. In many cases, this is enough. Some carriers have been found to transfer numbers based on even less verification.
Once the swap is complete, the attacker's phone receives all calls and SMS messages intended for you — including verification codes. Your phone loses service entirely. The attacker then has a window (often 30 minutes to several hours before you realize what happened and contact your carrier) to log in to your accounts, reset passwords and drain funds.
The global telephone network relies on a set of protocols called Signaling System 7 (SS7), designed in the 1970s when the telecom network was a closed system operated by trusted parties. SS7 was never built with security in mind because it was assumed that only telephone companies would have access to it.
That assumption no longer holds. Access to SS7 infrastructure can be purchased through rogue telecom operators, compromised network equipment or underground markets. An attacker with SS7 access can intercept SMS messages in transit without the victim or the carrier knowing. The message is silently redirected to the attacker while the legitimate recipient never receives it.
SS7 attacks have been documented in real-world incidents. In 2017, German banks reported that attackers used SS7 interception to steal SMS codes and empty customer bank accounts. The vulnerability remains unpatched in 2026 because replacing SS7 would require a global overhaul of telecommunications infrastructure.
This is the most sophisticated attack and it defeats SMS 2FA completely — even without intercepting the SMS itself. Here is how it works:
The entire process happens in seconds. You receive a legitimate SMS code from the real service, which makes the experience feel completely authentic. The attacker acts as an invisible proxy between you and the real website, capturing everything in real time.
Tools like Evilginx and Modlishka have made this attack accessible to attackers with moderate technical skills. These open-source frameworks automate the entire relay process.
Mobile malware can silently read incoming SMS messages and forward them to an attacker. On Android, malicious apps that request SMS permissions can intercept verification codes without any visible indication. Some malware variants can even delete the SMS after reading it, so you never see the code arrive.
These malicious apps are distributed through fake app stores, sideloaded APK files, phishing links and occasionally even through legitimate app stores before being detected and removed. Once installed, the malware runs in the background and monitors all incoming messages for patterns that look like verification codes.
These are not theoretical attacks. They happen regularly to real people with real consequences.
Not all second factors are created equal. Here is how the common options compare, ranked from most secure to least secure.
| Method | Phishing Resistant | Intercept Resistant | Convenience |
|---|---|---|---|
| Passkeys / FIDO2 | Yes (domain-bound) | Yes | High (biometric) |
| Hardware security keys | Yes (domain-bound) | Yes | Medium (physical device) |
| TOTP apps | No | Yes | High |
| Email codes | No | Partial | Medium |
| SMS codes | No | No | High |
Passkeys (FIDO2/WebAuthn) are the gold standard. They use public-key cryptography bound to the specific domain, which means a phishing site on a different domain physically cannot trigger the authentication. Even a perfect real-time phishing relay fails because the cryptographic challenge is tied to the legitimate domain. Passkeys authenticate with a biometric (Face ID, fingerprint) or a hardware key, making them both highly secure and convenient.
Time-based one-time passwords (TOTP) are generated locally on your device using a shared secret and the current time. They are not transmitted over any network, which makes them immune to SIM swapping, SS7 attacks and phone malware that reads SMS. The codes rotate every 30 seconds.
TOTP is vulnerable to real-time phishing relays (the attacker can capture and use the code before it expires), but it eliminates the entire category of network-based interception attacks that plague SMS.
Email-based codes are more secure than SMS because email accounts are typically protected by their own 2FA and are harder to hijack than phone numbers. However, if an attacker has access to your email (through a separate compromise), email codes offer no protection. They also share the real-time phishing relay vulnerability with SMS and TOTP.
SMS sits at the bottom of the ranking. It is vulnerable to SIM swapping, SS7 interception, real-time phishing relays and phone malware. Its only advantage is ubiquity — every phone can receive SMS, no app installation required.
Despite everything above, an important point must be made: SMS 2FA is still significantly better than no 2FA at all. The vast majority of account compromises happen through credential stuffing (trying leaked passwords from data breaches) and simple phishing. In both cases, even SMS 2FA adds a barrier that stops most attackers.
The attacks described in this article — SIM swapping, SS7 interception and real-time phishing relays — require effort, resources and often specific targeting. A random attacker who bought your leaked password from a data breach is unlikely to also SIM-swap your phone number. They will simply move on to the next victim who has no 2FA at all.
If you are currently using SMS codes for your accounts, here is how to upgrade to TOTP using UnveilPass's built-in authenticator:
From now on, when you log in to that account, UnveilPass can autofill both your password and your TOTP code — making the login process faster and more secure than SMS ever was.
SMS verification codes were a good idea when they were introduced. They added a meaningful layer of security at a time when most accounts had only a password. But the threat landscape has evolved and SMS has not kept pace. SIM swapping, SS7 attacks, real-time phishing relays and mobile malware have turned SMS into the weakest form of two-factor authentication available.
The good news is that better alternatives exist and are widely supported. TOTP apps eliminate network-based interception entirely. Passkeys go further by making phishing mathematically impossible. And password managers like UnveilPass integrate both TOTP and passkeys into a single workflow, so upgrading your security does not mean adding complexity to your daily routine.
Take 15 minutes today to audit your accounts. Identify which ones still use SMS 2FA and switch them to TOTP or passkeys. Your future self will thank you.
UnveilPass includes a TOTP authenticator in every vault entry. Generate and autofill verification codes without a separate app.
Try UnveilPass Free