Millions of people are at risk due to the increasing use of SMS-based authentication links by online services, according to a recent study. These links, intended to simplify the login process, are leaving users vulnerable to scams, identity theft, and other crimes.

The research, published last week, identified over 700 endpoints delivering such texts on behalf of more than 175 services. These services span a wide range of sectors, including insurance quotes, job listings, and referrals for pet sitters and tutors. Instead of requiring users to create and remember usernames and passwords, these services often request a cell phone number during signup and then send authentication links or passcodes via SMS when the user wants to log in.

One of the key vulnerabilities identified in the study is the use of easily enumerated links. This means that scammers can potentially guess the links by simply modifying the security token, which is typically found at the end of the URL. By manipulating these tokens, malicious actors could gain unauthorized access to user accounts.

The researchers emphasized the ease with which these attacks can be executed at scale. The automated nature of SMS delivery and the simplicity of token manipulation make it relatively easy for scammers to target a large number of users simultaneously.

Security experts are advising users to be cautious when clicking on links received via SMS, especially if they were not explicitly requested. They also recommend enabling two-factor authentication whenever possible, using more secure methods such as authenticator apps, which provide a higher level of protection against phishing and account takeovers.

The findings of this study highlight the growing need for stronger authentication methods that prioritize user security and privacy. While SMS-based authentication may offer convenience, the associated risks are becoming increasingly apparent, prompting calls for more robust and secure alternatives.