| SMS is not safe as a 2 factor. The known attacks I have come across in India include the hacker somehow coming across your sim card number and using that to get a new sim card issued in your name. A lot of people have had their bank accounts drained this way (source: social media posts) There was another thread in an yesterday on this where someone mentioned they could just rent a cell tower in Malaysia at $10 an hour and broadcast your number as roaming there to get your messages. Also mentioned were mobile number porting attacks though I don't know how viable that would be in India. There are so many apps with the permission to read your messages on Android. I wonder how many of these upload your messages to the cloud. An attacker could simply get the OTP from there. By creating a malicious app or attacking the database of another app uploading your messages. Also possibly your sim card number which I have seen apps broadcasting in the open, unencrypted. Another scenario - let's say you have a prepaid connection. You go abroad on a vacation without this number or get sick or whatever, and forget to recharge your phone. The provider can stop your services and give your sim to a new user. The new user now gets all your OTPs. There are probably more attacks. Messages to your phone are just not a safe choice for 2-factor authentication, but sadly that is the base on which aadhar is built upon. Even today one can open a bank account with just an aadhar number and an OTP. Wait till people start taking loans in others' names. |