SMS login links create a security risk for digital financial services, researchers warn

Convenience often comes at a high price in security. Many digital services have shifted to sign-in links delivered via SMS: users enter a phone number, receive a text message, click the link, and gain access to their account. Researchers warn that this simplicity creates a major vulnerability when attackers obtain the link.

In analysis cited by TechRadar, researchers examined more than 33 million SMS messages and found that at least 177 digital services expose users to risk. The affected services span categories including insurance platforms, job postings, and personalized-recommendation systems.

How SMS login links can be exploited

The core issue is that these authentication systems treat “owning the link” as equivalent to “owning the account,” without additional verification. If a third party obtains the link, they can access personal data without needing a password.

Three technical weaknesses in URL-based SMS authentication

• Low token entropy: Among the surveyed services, up to 125 use tokens that can be guessed using simple algorithms with predictable patterns. Attackers can attempt brute-force by changing a few characters at the end of the URL to find valid user links.
• Long link lifetime: Rather than expiring quickly like typical one-time passwords, many SMS login links remain valid for months or even years. This extends the period during which attackers can reuse links if they obtain old data from backups or leaked message stores.
• Data over-exposure after login: After a user clicks the link, the system logs them in and automatically retrieves sensitive information—such as date of birth, banking details, and credit records—often without the user seeing it on screen. If an attacker intercepts this data, they can collect a victim’s full identity.

Why SMS remains widely used

Despite advances such as biometrics and hardware security keys, SMS is still common because it is broadly compatible. However, the SMS protocol is not end-to-end encrypted, meaning message data can pass through carrier networks and may be stored in insecure databases.

The risk is amplified by real-world incidents involving leaked SMS storage databases, which can expose login links that remain valid for extended periods.

Additional threats include SIM swapping and ongoing vulnerabilities related to SS7. If an attacker temporarily gains control of a victim’s phone number, they can request SMS login links and compromise multiple linked accounts.

Practical steps to reduce exposure

• Adopt stronger multi-factor authentication: Security experts recommend using authenticator apps (such as Google Authenticator or Microsoft Authenticator) or physical security keys (such as YubiKey). These methods generate codes on-device and do not depend on easily transferable or interceptable URLs.
• Be cautious with unexpected SMS login requests: Do not click SMS login links unless you have just initiated the request. Some links may be designed to harvest data immediately upon clicking.
• Review and delete old messages: Because some login links can remain valid for years, periodically deleting messages containing authentication codes or login links can reduce risk if a phone is lost or if cloud backups are compromised.