Concepts

The first question: Why would this work?

People may wonder quite incredulously: "All it takes is to just send an SMS? That's it? That's all it takes to enter a website?"

If it was a few years back, yes, we can understand that such a simple system could be fraught with dangers. Why? Because it was possible those days for any hacker to send an SMS and change even the number from which the SMS seems to have been sent from. This was misused by some people. For example; A man trying to harass someone else's wife could send an SMS by spoofing that lady's husband's phone number. When the lady receives the text; and she looks at the sender of the message -- it would seem that the number from where the SMS came from indeed was from her husband.

This loophole has now been completely eliminated.

No more spoofing of origination numbers!

All phone networks all over the world scrupulously guard the phone numbers of their subscribers. It is virtually impossible now for someone to spoof the origination number. What is an origination number? The number from where the SMS originated. i.e. your phone number if you are the one who sent the SMS. If the SMS was sent using an online SMS gateway, then the origination number would be whatever that gateway had used to implement the sending of SMS.

It goes without saying; that if someone does attempt origination number spoofing; that would be considered quite illegal with heavy penalties in almost all countries. Also, it requires a lot of money, maybe even access to the data-centres of telephone companies for that to work.

So all those nefarious websites which were making money in such a sleazy manner; by allowing people to even spoof the origination phone number itself has all gone -- Of course, there are a few who claim that they can do such spoofing, just to get some money illicitly. And those who avail of such services soon realize that such website really cannot spoof the origination phone number. SENDER-IDs can be spoofed ... But not the origination number.

What some websites still allow are spoofing the SENDER-ID that is displayed on the receiver's phone.

You may have got messages from say AXISBNK etc so the word "AXISBNK" is the Sender-ID. But note that the origination phone number that is behind that number can NEVER be spoofed. It is only the displayed sender-id that can be changed.

Also note that even sender-id spoofing is highly regulated -- one needs to usually submit legally verified documentation, etc. in order to get that facility.

What is the use of spoofed SENDER-IDs?

You may wonder; why would then anyone want to really spoof the sender-id? The reason is: There are still legal and good reasons for spoofing the sender-id. A bank may want to send out SMS using many different phone numbers (to handle the load) In order to reassure the receiver, they may legally spoof all those numbers to display the same (or similar) IDs on the receiver's phone. For example; a account holder of Axis bank may have get SMS from say AXIS-BNK1, AXIS-BNK2 etc ... from axis bank. If such sender-ids were not set; the recipient would get confused.

The phishing hole; or rather smishing hole, and failure of SMS OTPs

The fact that the SENDER-ID can be spoofed is a serious double-edge sword. Because one could obtain a Sender-ID legally, some nasty people may actually purchase a Sender-ID e.g. AX1SBNK (where the numeral 1 would often turn up as "I" in many phones) from some online SMS gateway.

This has become a serious headache where such sender-Ids are used to conduct phishing attacks. (When SMS is involved, the term is "smishing") So here is how a hacker can con a person: He will call up the victim and tell him/her; you will now get a link from our bank; Axis bank. And send the victim a clickable link via an SMS; where the sender-ID was set as "AX1SBNK" - As explained earlier; if the numeral 1 is seen as I (which is the case in many phones) the unsuspecting victim may indeed think it is from Axis Bank and then get conned!

In short, inward SMS are proving to be highly vulnerable to such attacks.

And the long and short of this: Simply Sign In asks for an OUTWARD SMS i.e. the user has to originate the SMS. As explained earlier, even if that user spoofs the sender-id, it won't hassle us: The origination number anyway cannot be changed; and our system works only on that origination number. Nothing else.

Summary

Outward going SMS i.e. SMS voluntarily sent by the user is an excellent method to get an authentic id of the user.

In fact, if you are not looking for the additional features that we have implemented, and you are looking to develop a membership system of your own which you don't have to pay for; you can easily setup such a system which receives such sent SMS from potential users; and use that to register such a user.

Of course there would be cost involved in programming, setting up the background systems, etc. It is much more cheaper and a lot more effective to use Simply Sign In instead.