Hackers love text messages, and the numbers show why. SIM‑swap cases—where criminals hijack a victim’s phone number to intercept one‑time passwords—spiked 1,055 percent in 2024 and continue climbing this year, according to a July report from security firm Keepnet Labs. Yet tens of millions of people still rely on SMS codes as their only layer of extra login security. Cyber‑crooks have caught on: they bribe carrier employees, exploit weak “port‑out” procedures, or abuse SS7 signalling holes to reroute messages, then empty bank or crypto accounts while victims’ phones go dark.
Regulators and banks now treat text‑message 2FA as a ticking bomb. Australia’s Macquarie Bank warned last month that “days are limited” for SMS verification after a string of super‑fund breaches, telling customers the channel is “not secure” against spoofing and number‑hijack scams.
What to use instead? The safest upgrade is a phishing‑resistant security key—a tiny FIDO2 device such as a YubiKey or Google Titan that plugs into USB‑C or pairs over NFC. A would‑be attacker would need to physically possess that key to log in, making SIM swaps irrelevant. If buying hardware feels like overkill, app‑based codes (Google Authenticator, Microsoft Authenticator, Authy) are a big step up because they stay on your handset and never travel the phone network. Push‑based prompts—where you approve a login with a tap inside your banking app—close the gap further by binding each request to the device. And the industry’s next leap, passkeys, eliminates one‑time codes entirely. Apple, Google and Microsoft already sync passkeys across billions of devices, and 75 percent of consumers surveyed in the latest FIDO report say they now recognise and trust the technology.
Switching is straightforward. Open the security or login‑settings page for every critical service—email first, then banking, social and cloud storage—and add an authenticator‑app method or a security key. Many platforms let you keep SMS as a fall‑back but move it to the bottom of the preference list, so texts trigger only if stronger factors fail. Where passkeys are offered (PayPal, Shopify, iOS 17 apps, Google accounts), enrol at least two devices plus a hardware key to ensure you’re never locked out. Finally, ask your mobile carrier for a number‑lock or port‑freeze, which adds a PIN that thieves must supply before any SIM swap is processed.
Text messages once felt convenient; in 2025 they are an open invitation to account takeovers. With app codes, push prompts, security keys and passkeys now free or inexpensive—and regulators steadily outlawing SMS 2FA—there is no reason to keep your most valuable accounts tied to a technology that attackers can hijack with a single phone call.
Paul Balo is the founder of TechBooky and a highly skilled wireless communications professional with a strong background in cloud computing, offering extensive experience in designing, implementing, and managing wireless communication systems.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
