What's New Since Our Last Report

Our previous coverage explained the attack chain: hackers reset your MFA, steal the token, and walk into your account. Readers wanted to know if the text codes themselves were safe. The answer, backed by technical data now coming into clearer view, is NO — and the reasons go deeper than most mainstream coverage bothers to explain.

Fox News consumer tech coverage raised the baseline question this week, noting that readers like Kyra from West Plains, Missouri are genuinely confused about what "two-factor authentication" even means when every bank does it differently. That confusion is not the reader's fault. It's a systemic failure by the banking industry to communicate — or fix — a known weakness.

SMS Was Never Encrypted. Period.

Here's what the financial press keeps glossing over.

According to a technical breakdown published by Alibaba's LifeTips platform, SMS shortcodes — the "BAL to 23456" style codes most U.S. and Canadian banks use — operate on zero end-to-end encryption. None. The message travels through carriers who log full payloads, and intermediaries retain that metadata for at least 18 months under GDPR and CCPA-compliant retention policies.

Your bank texts you a login code. Your carrier stores it. Multiple intermediaries touch it. Nobody encrypted it.

The same source cites Twilio's Q3 2023 latency report showing 4 to 18 second delivery variance on SMS codes, and CTIA's 2024 SMS reliability benchmark finding that 12.3% of messages experience delays over 10 seconds and 4.1% fail to deliver at all. The system is unencrypted and unreliable.

The Three Systems Banks Use — And Why All Three Have Problems

Mainstream coverage treats "text codes" as one thing. It's not. According to the Alibaba LifeTips analysis, there are three distinct protocols at play:

USSD codes (like \120\456#) are session-based, real-time, and require no internet. They dominate in emerging markets like Kenya, Nigeria, and India. Median latency is under 1.2 seconds per GSMA 2023 field trials. But they still rely on SS7 network routing — the same decades-old telecom backbone that security researchers have demonstrated can be intercepted by nation-state actors.

SMS shortcodes are the U.S. standard. Asynchronous, store-and-forward, unencrypted, unreliable. This is what most Americans are using right now.

IVR codes — the phone tree systems where you punch in numbers after calling a toll-free line — are the worst of all. A KLM-GOMS analysis cited by the same source found IVR requires 3.7 times more keystrokes than USSD, and an AARP 2024 usability study found 22% higher error rates among users aged 65 and older. The banks that use this for "security" are making it hardest on the most vulnerable customers.

None of these three systems authenticate users cryptographically. They all rely on SIM binding or pre-registered phone numbers, which means they all share the same core vulnerability: SIM swap attacks and SS7 interception.

What Actually Works

Jappware, a mobile banking security firm, published analysis noting that the more secure alternatives already exist and are already deployed — just not universally. Biometric authentication (fingerprints, Face ID), authenticator apps that generate time-based codes locally on your device, and end-to-end encrypted in-app push approvals are all meaningfully stronger than SMS.

An authenticator app generates your code on your device and never transmits it through a carrier network. There's no SMS to intercept. No carrier log to subpoena. No SS7 to exploit.

Jappware's CEO Andriy Rymar wrote that mobile banking apps, when properly built, are "often more effective" than browser-based banking precisely because of these added layers. The problem is that "properly built" requires investment that not every bank has made.

Why Banks Still Use SMS

Most coverage — including Fox News's consumer-friendly framing this week — asks "are text codes enough?" That's the wrong question, because it implies text codes are a reasonable baseline that might just need a slight upgrade.

Why are major U.S. banks still using an unencrypted, unreliable, 1990s-era protocol as their primary authentication layer in 2026? The answer comes down to cost and inertia. SMS is cheap to deploy. Authenticator apps require customer education. Biometrics require hardware investment. Banks made a business decision to prioritize convenience and cost savings over security — and regulators let them.

The Reddit personal finance community flagged something practical this week that the technical reports miss: people receiving unsolicited bank security codes they didn't request. Someone is attempting to log into those accounts right now. Most users have no idea what to do when that happens.

What You Should Do Today

If your bank offers an authenticator app option, use it. If it offers in-app push approval, use that instead of SMS. If SMS is your only option, that tells you something important about how seriously your bank takes your security.

Call your bank and ask specifically: "Can I disable SMS authentication and use an authenticator app instead?" If they say no, you're carrying risk that isn't yours to carry.

The banks built this vulnerability into the system. Regular people are paying the price.