Mobile programming: how secure is SMS

Question

I am currently developing a web service that is configured to receive SMS text messages from different cell phones. Along with each message I also get the mobile number from which the SMS originated.

My question is it possible for someone to masquerade as a different phone number. That is it possible to send a SMS from phone (or other means) and make it look as if it came from a particular number?

I have read of SMS spoofing where it is possible to receive SMS intended for other numbers but I want to know if it is possible to send posing as someone else (send from phone or a web app etc).

Answer 1

As I can send via GMX Webinterface - with my Phone number as Sender, I conclude that it is indeed possible.

Answer 2

Spoofing is pretty trivial with the right setup. For example, we send large numbers of SMS using a 3rd-party aggregator service, and each SMS has an "originator" field, which can be a phone number (specifically, a MSISDN), or a text value. We could, if we wanted, put anyone's number in there.

SMS is extremely insecure. It was designed as a back-channel for GSM engineers to test their networks, and turned out to be a nice revenue spinner, so they just left it as it is.

That's not to say you shouldn't send sensitive information over SMS, just be aware of the insecurity, and trust (or don't trust) messages accordingly. No channel is 100% secure, you need to decide if it's secure enough for what you want to send over it.