Why is SMS used as a way of verifying a user's mobile, when it is not even encrypted in transit?
Stack Exchange network consists of 178 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Information Security Stack Exchange is a question and answer site for information security professionals. It only takes a minute to sign up.
Providers and governments can see these SMS messages in plaintext, but what is weird is that these messages are not encrypted in transit.
According to my knowledge, that makes the service vulnerable to MiTM attacks: a semi-skilled hacker who knows my location can intercept the connection and get a code to reset my Google account's password for example.
Yes, you're right. SMSes are not recommended in any two-factor authentication (2FA) process nowadays. They can be easily intercepted and modified.
