The Hole
The Hole
The Hole
SMS: The Unkillable Protocol
40m · Mar 19, 2026
Friedhelm Hillebrand solved a problem nobody thought existed in 1984—and created a protocol so resilient that two billion people still depend on it to move trillions of dollars every year, with zero encryption and zero updates since 1992.

SMS: The Unkillable Protocol

The Protocol Beneath Everything

Every time your bank sends you a six digit code, that code travels by SMS. Every time a farmer in rural Kenya sends money to her family, the transaction moves by SMS. Every time you reset a password, confirm an appointment, or verify a new account, the confirmation arrives by SMS. More than two billion people who have never owned a smartphone depend on it. Trillions of dollars flow through it every year. It has no encryption. It has never been fundamentally updated. And it was designed to fit in the leftover space of a control channel that nobody else wanted.

This is the story of how one hundred and sixty characters became the most resilient protocol in the history of communication. To tell it, we need to go back to a typewriter in Bonn.

One Hundred and Forty Bytes of Nothing

In nineteen eighty four, in the offices of the Deutsche Bundespost in Bonn, a German telecommunications engineer named Friedhelm Hillebrand had a problem that nobody else thought was a problem. The European mobile telephone standards group, the Groupe Special Mobile, was building the architecture for what would become the global standard for cellular communication. They were designing voice channels, signaling protocols, encryption schemes, handoff procedures. Nobody was thinking about text. Hillebrand was. He chaired the non-voice services committee, a subgroup so unglamorous that most delegates treated it as a coffee break from the real work.

The cellular signaling channel, the narrow data pipe that phones used to negotiate connections with towers, had a little unused capacity. One hundred and forty bytes of space in the Mobile Application Part payload that carried no user data. It was the digital equivalent of the margins on a printed page, structural whitespace that existed because the protocol reserved room for headers and routing information, and not every message used all of it. Most engineers saw dead space. Hillebrand saw an opportunity.

What if you could squeeze a short written message into that unused space? Not a new channel, not a new protocol, not a new piece of infrastructure. Just words, riding the gaps in a system that already existed. The message would travel on the same signaling path that handled call setup, location updates, and authentication. It would cost the network essentially nothing to transmit, because the signaling channel was already there, already powered, already being broadcast whether anyone used the spare capacity or not.

There was one constraint. The payload could carry exactly one hundred and forty bytes. Using a seven bit character encoding, a scheme called GSM seven bit, that gave you room for one hundred and sixty characters. Letters, numbers, spaces, punctuation. One hundred and sixty characters total. Was that enough to say anything useful?

The following year, in nineteen eighty five, Hillebrand went home to his apartment in Bonn, sat down at his typewriter, and started typing. Random messages. Questions. Requests. The kind of things you might write on a postcard to a friend or tap out in a quick business telex. He typed each one, then counted every character. The letters, the spaces, the commas, the periods. Message after message, he found the same thing. They almost always came in under one hundred and sixty characters.

He checked postcards. People had been writing personal messages on postcards for over a century, and those messages, squeezed into a small rectangle of cardboard, almost never exceeded one hundred and fifty characters. He checked telex transmissions, the workhorse of business communication, and found the same pattern. Human beings, it turned out, had been naturally composing messages in this range for decades. They just never had a reason to notice.

Setting one hundred and sixty characters is perfectly sufficient for messaging purposes. This is enough for most useful communications.

His colleagues on the committee were not convinced. Before the typewriter experiment, Hillebrand had argued with a friend about whether one hundred and sixty characters could carry meaningful communication. His friend told him it was impossible for the mass market. But Hillebrand was stubborn, and his French counterpart Bernard Ghillebaert, who directed GSM development at France Telecom, saw the same potential. Together they drafted a proposal. In October nineteen eighty four, the Franco-German cooperation program produced a document calling for the provision of a message transmission service of alphanumeric messages to mobile users with acknowledgement capabilities.

In February nineteen eighty five, at a GSM group meeting in Oslo, the proposal was formally submitted. It passed. Not because people were excited about it, but because it cost almost nothing. The signaling channel was already there. The spare capacity was already there. All you needed was a server to store and forward messages, and a way for the handset to display text. The risk, as Hillebrand later told a German newspaper, was very low. All the providers needed was a server, and equipping the cell phones was easy.

Nobody at that meeting in Oslo imagined what would happen next. They were building a minor convenience feature for a telephone standard. They were filing a specification for a protocol that would carry more human communication than any technology in history, move more money than most banks, secure more accounts than any lock or key, survive every attempt to replace it, and outlive the careers of everyone in the room. And the decision that made it all possible was the decision to build on what already existed, to use the gaps instead of demanding new infrastructure. Every constraint Hillebrand accepted became a moat.

Merry Christmas

Seven years passed. The specification gathered dust in filing cabinets while the GSM standard slowly rolled out across Europe. The first GSM network went live in Finland in nineteen ninety one. The first commercial GSM calls followed in country after country. But nobody had built the infrastructure to actually send a text message. The specification existed. The phones could theoretically receive them. But nobody had constructed the Short Message Service Center, the server that would store messages and route them to the right handset. The carriers were betting on voice. They were investing in call quality, coverage expansion, roaming agreements. Text was an afterthought written into a standard that nobody had gotten around to implementing.

In late nineteen ninety two, a small Anglo-French IT services company called Sema Group won a contract from Vodafone to build exactly that system. A team of engineers installed the Short Message Service Center at a Vodafone site west of London. On December third, nineteen ninety two, a twenty two year old engineer on the Sema team named Neil Papworth sat at a computer terminal, typed fifteen characters into the system, and sent the first text message in history.

The message traveled from Papworth's computer, through the Short Message Service Center, over the Vodafone network, and arrived on the screen of an Orbitel nine oh one mobile phone, a handset that weighed more than four and a half pounds. The phone belonged to Richard Jarvis, a director at Vodafone, who was at the company's Christmas party. The message read: Merry Christmas.

Jarvis could not reply. Mobile phones in nineteen ninety two could receive text messages but not send them. There was no keyboard, no input method, nothing. Papworth had sent the message from a computer because that was the only way to compose one. Shortly after, Papworth received a phone call from the Christmas party confirming that the message had arrived. Twenty five years later, in an interview with the CBC, Papworth recalled the moment with the understatement that only an engineer could manage.

It did not feel momentous at all. If I had tried to put some kind of meaningful message in there, twenty five years later, you guys would be talking about, what was he really thinking when he sent that? Why did he say that? Whereas the fact that it was just Merry Christmas, there is no other meaning to it, really.

Papworth spent much of the following decade traveling the world installing SMS systems for Sema Group. He relocated to Canada in two thousand, settled in Montreal, and eventually moved through Tekelec, Oracle, and cloud consulting. A quiet career in the infrastructure he helped build. The first text message earned him no royalty, no fame beyond occasional anniversary interviews.

It took another two years before Nokia released the Nokia two one one zero, the first handset that could both send and receive text messages. And even then, the prediction that nobody would bother typing on a phone keypad seemed correct. In nineteen ninety five, the average GSM subscriber sent zero point four messages per month. Not four. Zero point four. Less than one message every two months. Telecoms executives looked at those numbers and saw a dead feature. They were already planning the next generation, moving beyond voice to multimedia, video, the real future of mobile communication.

Here is the decision that matters. The carriers chose not to invest in SMS. They chose not to market it, not to improve the input methods, not to explore what text could do. They poured billions into voice infrastructure and multimedia pipelines, treating text messaging as a rounding error. And because they did not invest, they also did not price it seriously. In many markets, SMS was thrown in as a freebie, a throwaway perk bundled with voice plans to pad the feature list. That non-decision, that institutional shrug, created the opening for what happened next.

The Rebellion in the Margins

Nobody planned what happened next, and that is what makes it beautiful. Across Europe and Asia in the late nineteen nineties, teenagers discovered that text messages were cheap. For teenagers with strict phone budgets and an unlimited need to communicate with each other, the carrier's pricing non-decision was a revelation. The feature that the industry had dismissed was exactly the feature that fit their constraints.

In the Philippines, where mobile adoption was exploding but call rates were high, texting became a national pastime almost overnight. Filipinos were sending over a hundred million text messages per day by two thousand one, earning the country the nickname the texting capital of the world. In Japan, the culture had a head start. Japanese teenagers in the mid nineteen eighties had already developed an entire communication system using pagers, encoding emotions and greetings into numeric sequences based on the multiple ways numbers could be read in Japanese. They called the devices pokeberu. When mobile phones with text messaging arrived, this generation was already fluent in the art of condensing feeling into a small screen. NTT DoCoMo's i-mode service, launched in nineteen ninety nine, brought mobile internet and email to the phone, and schoolgirls were the first to respond. One million users in the first year. Fifteen million by the end of two thousand.

In the United Kingdom, in Scandinavia, in Germany, the pattern repeated. Teenagers were typing messages under desks at school, under blankets at night, on buses and trains and park benches. They invented a new language to fit the constraint. U instead of you. R instead of are. Two for to, four for for, eight for ate. LOL, BRB, TTYL. The linguist David Crystal, who devoted an entire book to the phenomenon called "Texting: The Great Debate," found that text language was not a degradation of English but a creative adaptation, a new register that followed consistent internal rules and required genuine linguistic skill to deploy effectively. Typically less than ten percent of words in any given text message were actually abbreviated. The teenagers were not ruining language. They were extending it.

The carriers noticed the numbers, and what they found changed the economics of mobile forever. In nineteen ninety seven, European operators carried one billion text messages. By two thousand two, the number had exploded to over two hundred and fifty billion. The cost to the network of sending a text message was essentially nothing. The signaling channel was already there, already active, already broadcasting. A text message did not consume any capacity that would otherwise carry a phone call. One analysis calculated the carrier cost of a single SMS at roughly one third of a penny. When customers were paying ten or fifteen cents per message, ninety eight percent of that was pure profit.

And here is where the carriers faced their real decision. They had accidentally created the most profitable service in telecommunications history. A feature that nobody had asked for, built on unused capacity in a signaling channel, typed on phone keypads that were never designed for text input, adopted by a demographic that the industry had not targeted. The technology commentator Rick Falkvinge calculated that carriers were charging more to send a text message to a phone next door than NASA spent per kilobyte to transmit data from Mars. The comparison was unfair in almost every technical sense. Defenders of carrier pricing argued that SMS revenue subsidized network buildout across developing nations, and that the marginal cost argument ignores the enormous fixed costs of building and maintaining the cellular infrastructure. Both points were fair. But the carriers chose to milk the margins rather than invest in improving SMS itself. They raised per-message prices even as their costs stayed at zero. They locked in multi-year contracts with SMS bundled at profitable rates. They did not improve the input methods, did not extend the character limit, did not add encryption or multimedia. They extracted maximum revenue from a protocol they had not built, did not market, and never intended to matter. That extraction funded the networks. It also ensured that when the smartphone era arrived, messaging apps had a wide open target.

In two thousand twelve, SMS traffic peaked at six point six trillion messages worldwide. The average subscriber was sending one hundred and seventy messages per month. In two thousand thirteen, the global SMS business generated an estimated two hundred and forty billion dollars in revenue. All from one hundred and forty bytes of previously unused space in a signaling channel.

The Parade of Replacements

If you have followed the mobile industry at any point in the last twenty years, you have heard the announcement. SMS is dead. The replacement has arrived. The future is here. Let us count the replacements.

MMS, the Multimedia Messaging Service, arrived in two thousand two. It would do everything SMS could do, plus pictures, audio, video, longer text. The carriers invested billions in infrastructure. The handset manufacturers added camera and multimedia support. The standard was approved, the networks were built, and then almost nobody used it. MMS required complex handset configuration that most users could not manage. It was priced far higher than SMS. It was unreliable across different phone models and carrier networks. Unlike SMS, which piggybacked on the signaling channel and arrived even when the data network was congested, MMS needed its own bandwidth. By the early twenty twenties, carriers in India, the Philippines, Singapore, Germany, and Switzerland had quietly shut down their MMS services entirely. The standard that was supposed to make SMS obsolete was itself being discontinued, country by country, like a chain of shops quietly closing.

Then came the smartphone era. iMessage, WhatsApp, Facebook Messenger, WeChat, Telegram, Signal, Viber, Line, KakaoTalk. Each one was faster than SMS, richer than SMS, encrypted where SMS was plaintext, free where SMS was metered. Every one of them required an internet connection, a specific app, a specific operating system, and the assumption that the person you were messaging used the same service. Every one of them was better than SMS in every measurable way. And every one of them failed to kill it.

Then came RCS, Rich Communication Services, the industry's official next generation replacement for SMS. Backed by Google, endorsed by the GSM Association, supported by most major carriers. RCS promised to bring SMS into the modern age with read receipts, typing indicators, high resolution photos, group chats, and end to end encryption. It was an open standard, unlike iMessage or WhatsApp, which meant no single company controlled it. That was genuine progress. But RCS has been in development since two thousand seven. Almost twenty years later, it remains a fragmented mess. Many carriers support it. Many do not. Many mobile virtual network operators are excluded entirely. Apple resisted for years, arguing that iMessage's encryption and privacy model was superior, before grudgingly adding support in iOS eighteen. Older phones cannot use it at all. The rollout has been so inconsistent that even compatible devices frequently fail to establish RCS connections and fall back to plain SMS.

Here is the pattern. Each replacement was designed to be better. Each one was better. And SMS kept going. It kept going because it had a property that none of its replacements could match. SMS works on every phone ever made since nineteen ninety three. It works without an internet connection. It works without downloading an app. It works without creating an account. It works without agreeing to terms of service. It works on a fifteen dollar flip phone in rural Kenya and a twelve hundred dollar smartphone in Manhattan. It works when the cell tower is barely in range and the signal drops to a single bar. It is the lowest common denominator of digital communication, and that is not an insult. That is its superpower.

The technical architecture underneath is called store and forward. Your phone sends the message to the Short Message Service Center. The center holds it. When the recipient's phone connects to the network, the center delivers it. If the recipient is out of range, the center waits, typically twenty four to forty eight hours, and tries again. No internet needed. No app server needed. No cloud infrastructure needed. Just the cellular signaling channel and a patient database.

After two thousand twelve, the chat apps took over peer to peer messaging, and SMS volumes declined. But the decline stopped. SMS found a new floor, a new purpose, and a new market that turned out to be even larger than person to person messaging had ever been. And the most extraordinary use of SMS was not happening in Silicon Valley or London or Tokyo. It was happening in rural Kenya.

The Bank That Runs on Nothing

In two thousand three, in the offices of Vodafone's social enterprise division in London, a British telecommunications executive named Nick Hughes had an idea that sounded either visionary or insane, depending on which meeting you were in. Hughes held a doctorate in applied sciences from Loughborough University and an MBA from London Business School. Before joining Vodafone, he had spent two years running the climate change program at BP. He was not a typical telecom executive. He had been watching mobile phone adoption in sub-Saharan Africa, where handset penetration was growing faster than anyone had predicted, and he noticed something. In Kenya, where mobile phones were spreading rapidly, the vast majority of the population had no bank account. Not because they did not want one. Because there were no banks.

In rural Kenya, in two thousand three, a bank branch might be fifty kilometers away over unpaved roads. For a farmer earning two dollars a day, traveling to the bank cost more than the transaction was worth. The same farmer who could not reach a bank had a mobile phone. Maybe a shared phone, maybe borrowed, but the mobile network had reached places where roads and banks and electricity had not.

Hughes proposed something radical. What if the mobile phone itself became the bank? Not a smartphone app. Not mobile internet banking. Just SMS and SIM toolkit menus. A farmer types a short code into a basic handset, enters a PIN, specifies an amount and a phone number, and money moves. No internet. No smartphone. No bank account. Just a text message on the cellular signaling channel.

It was all about finding a solution to a problem. How to move money safely and securely in an environment where banking has only reached a small proportion of the population and where the only infrastructure available was the mobile network.

He took the idea to the Department for International Development, the British government's aid agency, and secured one million pounds in grant funding. Vodafone matched it. Together they had roughly three million dollars to build a prototype.

The original plan was not even a money transfer service. It was a way to distribute and repay microfinance loans. Vodafone partnered with Safaricom, the largest mobile network operator in Kenya, and brought on Susie Lonie, a mobile commerce specialist, to manage the project on the ground. Lonie was sent to Nairobi in two thousand five to turn a general concept into a working system, and she quickly discovered that the distance between a London conference room and a Kenyan market town was measured in more than kilometers.

We knew roughly what we wanted the end result to be, but one reason I was on the ground was to turn this general concept into reality and come to terms with how different things are in Africa, the different infrastructure in place, the different levels of education, the huge numbers of languages people speak.

The pilot launched in Thika and Nairobi. The customers were microfinance borrowers. The system worked. People could repay their loans by text message. But during the pilot, Lonie and her team noticed something unexpected. The users were not using the system primarily for loans. They were sending money to their families. Migrant workers in Nairobi were loading cash onto their accounts at local agents and transferring it to relatives in the countryside, who would walk to their nearest agent and withdraw the cash. The users had hijacked the pilot and turned it into a remittance service. This was not a failure of the plan. This was the users making a design decision that the engineers had not made.

Hughes understood that the customers were telling him something.

Put something into the market place, watch what your customers do with it, and then change your business model to that.

They pivoted. In March two thousand seven, Safaricom formally launched M-Pesa. The name combined mobile with the Swahili word for money, pesa. The service did exactly what the pilot users had demanded. You deposited cash with a local M-Pesa agent, a shopkeeper or kiosk operator who had signed up for the network. The cash was converted to electronic value on your phone. You sent that value to another phone number via SMS. The recipient walked to their nearest agent and withdrew the cash. No bank required. No internet required. No smartphone required. Part of the success, Hughes later reflected, came from keeping the service uncomplicated. The decision to build on the most primitive, most universal protocol available, instead of waiting for smartphones and internet banking, was the decision that brought financial services to people who had been excluded from the system their entire lives.

The adoption curve was vertical. Within the first month, over twenty thousand people signed up. By the end of two thousand seven, M-Pesa had over one million registered users. Within two years, nearly seven million, in a country of about forty million people. By twenty thirteen, sixty four percent of M-Pesa users had no bank account at all before joining the service. They had never had access to any form of formal financial service. Now they had a bank in their pocket, and it ran on a protocol designed to fit in the unused space of a signaling channel.

A study published in Science found that M-Pesa lifted one hundred and ninety four thousand Kenyan households, roughly two percent of the national total, out of poverty. The largest benefits went to female headed households, where the ability to receive money from relatives without traveling to a distant bank branch and without relying on physical cash carriers who might steal or demand a cut changed the fundamental economics of daily survival.

By twenty twenty four, M-Pesa had over sixty six million customers across Africa. Annual transaction volume exceeded thirty three billion transactions. The service processes over fifty billion dollars in value each year. The mobile money industry it spawned has reached two billion registered accounts globally. Hughes went on to co-found M-Kopa Solar, bringing clean energy to off-grid households using the same mobile money infrastructure. And at the foundation of all of it, underneath the apps and the APIs and the financial infrastructure that has been built on top, the original transaction still moves as a text message on a cellular signaling channel.

Now hold all of that in your mind. Sixty six million customers. Two billion mobile money accounts. Hundreds of millions of people whose access to financial services depends entirely on the ability to send and receive a text message. Because the next chapter is about what happens when you learn that the protocol carrying all of that money has no lock on the door.

The Ghost in the Wires

The protocol that secures billions of accounts and moves billions of dollars was designed in an era when the idea of intercepting a text message was science fiction. SMS has no end to end encryption. The message travels in plaintext between your phone and the cell tower, is stored in plaintext at the Short Message Service Center, and is delivered in plaintext to the recipient. Anyone who can access the network infrastructure between those points can read the message.

For most of SMS history, this did not matter. To intercept a text message, you needed physical access to telecom equipment, or cooperation from a carrier, or a government warrant. The barrier was not cryptographic. It was practical. But a system designed to route calls between trusted national telephone companies in the nineteen seventies was never built to withstand attackers who could buy access to the network for a few thousand dollars on the gray market.

The system's name is Signaling System Seven. It was designed in the nineteen seventies by the International Telecommunication Union to let telephone networks talk to each other. When you place a call from one carrier to another, SS Seven handles the signaling. It sets up the connection, manages the routing, and tears down the call when you hang up. It is the nervous system of global telephony, and it was built on a single assumption that made perfect sense in nineteen seventy five. Every node on the network is trusted. In that era, the only nodes were national carriers and large equipment manufacturers. AT and T, British Telecom, Deutsche Telekom. You did not get access to SS Seven without being a telephone company, and telephone companies were regulated monopolies with government oversight. Trusting every node was the same as trusting every government.

Then mobile phones happened. Then deregulation happened. Then globalization happened. By the twenty first century, there were thousands of carriers worldwide, including small virtual operators, resellers, and companies in jurisdictions with minimal oversight. Any entity with SS Seven access could, in theory, send routing messages to any other entity on the network. And SS Seven had no authentication. No encryption. No way to verify that the node sending a request was who it claimed to be. The same protocol that let one carrier route a call to another also let an attacker redirect someone's text messages to a server they controlled.

In December twenty fourteen, at the thirty first Chaos Communication Congress in Hamburg, two security researchers presented their findings. Tobias Engel demonstrated how SS Seven vulnerabilities could track any mobile phone's location in real time. And Karsten Nohl, a German cryptographer with a doctorate from the University of Virginia and founder of the Berlin based Security Research Labs, showed how those same vulnerabilities could intercept phone calls and text messages. The attack was not theoretical. It was a live demonstration on stage. The audience at the Chaos Communication Congress, a crowd of hackers and security researchers who were not easily shocked, understood immediately. This was not a bug in a piece of software that could be patched. It was a fundamental design flaw in the backbone of global telecommunications, and fixing it would mean rebuilding the trust model of every telephone network on earth.

In April twenty sixteen, Nohl went on the CBS program Sixty Minutes and demonstrated the attack for a national television audience. The show gave a brand new iPhone to United States Congressman Ted Lieu, a Democrat from California who holds a computer science degree from Stanford. Lieu agreed to use the phone for his normal daily business, knowing it would be targeted. Nohl's team, operating from Berlin, used SS Seven to track Lieu's movements around Los Angeles, read his text messages, and record his phone calls. All they needed was the phone number.

We can track their whereabouts, know where they go for work, which other people they meet when. You can spy on whom they call and what they say over the phone. And you can read their texts.

Nohl explained to the Sixty Minutes audience that the attack worked regardless of anything the target could do. It did not matter which phone you bought, which PIN you set, which apps you installed or did not install. The vulnerability was in the network itself, not in the device.

The mobile network is independent from the little GPS chip in your phone, it knows where you are. So any choices that a congressman could have made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing, because this is targeting the mobile network.

When the correspondent played a recording of one of his intercepted calls, the congressman's reaction was visceral.

First, it is really creepy. And second, it makes me angry.

Lieu pushed the Federal Communications Commission to investigate. The investigation proceeded slowly. Meanwhile, in January twenty seventeen, attackers in Germany exploited SS Seven to drain bank accounts. The attack on customers of O two Telefonica was a two stage operation. First, the attackers used phishing and malware to steal online banking credentials, passwords, account numbers, and the phone numbers associated with the accounts. Then they used SS Seven to redirect the victims' incoming text messages to phones they controlled. When the banks sent two factor authentication codes via SMS, the codes went straight to the attackers. They logged in, initiated transfers, received the confirmation codes, and emptied the accounts. Remember the sixty six million M-Pesa customers. Remember the two billion mobile money accounts. Remember every farmer in rural Kenya whose financial life depends on SMS. The protocol that connects them has no lock on the door.

The Code in Your Pocket

Every time you log into your bank, your email, your social media account, and a six digit code arrives on your phone, that code traveled by SMS. This is two factor authentication, and SMS is its backbone. The logic seems obvious in retrospect. You need a second channel, something separate from the password, to prove you are who you say you are. And SMS reaches every phone on earth. No app to install. No hardware token to carry. No biometric scanner to configure. Just a phone number, which almost every human on the planet already has.

By two thousand nineteen, there were roughly ten point seven billion two factor authentication enabled accounts worldwide. Of those, forty one percent used SMS as their verification method, making it the single most popular form of second factor authentication on earth. More than seventy two percent of digital platforms integrate SMS based verification systems. Every major bank, every major email provider, every social media platform, every ride sharing app, food delivery service, and e-commerce site. The system that carries these codes is the same one Hillebrand designed in nineteen eighty four, running on the same signaling channel, using the same one hundred and forty byte payload, governed by the same store and forward architecture.

The application to person SMS market, the industry term for automated messages sent from businesses and services to phones, reached roughly seventy five billion dollars in twenty twenty five. That number is growing, not shrinking, even as person to person texting declines. The machines keep texting even when the humans stop.

In July twenty sixteen, the National Institute of Standards and Technology took the extraordinary step of publishing draft guidelines recommending against using SMS for two factor authentication. Due to the risk that SMS messages or voice calls may be intercepted or redirected, they wrote, implementers of new systems should carefully consider alternative authenticators. The industry's response was a collective shrug. One chief information security officer told reporters that the National Institute of Standards and Technology was about three to five years too early from a practical perspective. The alternative to SMS, hardware tokens for every user, was simply too expensive and too complicated to deploy at scale. A study by Duo Security found that the announcement had virtually no impact on SMS usage. The rate of SMS based two factor authentication remained roughly the same before and after the warning.

The irony was exquisite. In the same month that the National Institute of Standards and Technology published its recommendation against SMS authentication, the Social Security Administration announced its new security measure for online accounts. The method they chose was SMS two factor authentication. The requirement applied to all users accessing their accounts online, and since the agency distributes retirement benefits primarily to seniors, many of whom do not own mobile phones, the policy drew immediate criticism. But the SSA had the same problem everyone else had. The alternative was asking every retiree in America to install an authenticator app on a smartphone they might not own.

And that captures the entire predicament. Everyone knows SMS is insecure. The protocol has no encryption. The network it rides on was designed when trust was assumed. Billions of dollars and billions of accounts depend on it anyway. Because the alternative is not a better protocol. The alternative is asking every person on earth to install a specific app, or carry a specific device, or use a specific platform. And SMS, unkillable, unreplaceable SMS, is the only protocol that reaches all of them.

The Minimum Viable Protocol

So here we are. More than four decades after Hillebrand and Ghillebaert drafted their proposal. More than three decades after Neil Papworth typed Merry Christmas on a computer terminal west of London. Every replacement has arrived. Every replacement was superior. And SMS is still here.

It is here because it made a series of decisions that look like limitations but function as advantages. The decision to use the signaling channel instead of a dedicated data channel meant SMS cost nothing to transmit, which meant carriers had no reason to remove it, which meant it became universal. The decision to cap messages at one hundred and sixty characters meant the protocol was so small it could survive degraded networks, congested towers, and the absolute minimum of bandwidth. The decision to use store and forward instead of real time delivery meant messages could survive intermittent connectivity, which is not an edge case but the everyday reality of mobile networks across most of the world. Every one of these decisions was a constraint, and every constraint became a moat.

Consider what would happen if SMS disappeared tomorrow. Not text messaging in general. There are dozens of alternatives. But the specific SMS protocol running on the cellular signaling channel. M-Pesa and every mobile money service built on its model would lose their transaction layer. Billions of two factor authentication codes would have no delivery channel. Every automated appointment reminder, delivery notification, and bank fraud alert would cease. The airline boarding pass that arrived via text, the verification code for your new laptop, the message from your doctor's office confirming your appointment. All of it runs on a protocol that fits in the leftover space of a control channel.

The security researchers are right that SMS is insecure. The National Institute of Standards and Technology is right that it should not be the first choice for high value authentication. The SS Seven vulnerabilities are real, documented, and actively exploited. But when the security community says stop using SMS, they are making a technical argument against a social reality. The social reality is that SMS reaches every phone on earth. The social reality is that the alternative requires installing an app that three billion people do not have, on a smartphone that two billion people cannot afford, using an internet connection that one billion people cannot access.

The minimum viable protocol often outlives the feature rich replacement. This is not a law of nature. It is a pattern that appears whenever a technology's reach matters more than its capabilities. The fax machine outlived every fax replacement for decades. AM radio still reaches places that the internet does not. When a technology is everywhere, its flaws become less important than its ubiquity. And SMS is, by any measure, the most ubiquitous digital communication protocol ever created, used by more people than the internet itself.

Even its cultural fingerprint runs deeper than most people realize. In two thousand six, a small team at a San Francisco podcasting company called Odeo was brainstorming new products. Jack Dorsey pitched a platform for real time status updates, designed around SMS. Each message had a hard limit of one hundred and sixty characters. They reserved twenty characters for the username and left one hundred and forty for the content. The platform was Twitter. The one hundred and forty character limit that defined a generation of public writing, that forced presidents and poets and protestors to choose their words with the economy of a telegram, was a direct inheritance from Hillebrand's typewriter experiment in Bonn.

Hillebrand understood something, even if he did not have the language for it. When he sat at his typewriter in Bonn and concluded that one hundred and sixty characters was perfectly sufficient, he was not just measuring message length. He was discovering the minimum viable unit of human communication. Not the best. Not the richest. Not the most secure. Just enough to say what needs to be said, carried on a channel that costs nothing, stored by a server that can wait, delivered to any phone in the world.

The SMS specification turns forty two this year. It has never been fundamentally updated, never been patched, never been extended in any way that changes what it is. The one hundred and forty byte payload is the same. The store and forward architecture is the same. The seven bit character encoding is the same. The protocol that carries your bank's verification code today is, byte for byte, the same protocol that carried Merry Christmas in nineteen ninety two.

Billions of people depend on it. Trillions of dollars move through it. Its flaws are as universal as its reach. It was designed in the margins, built on leftovers, adopted by accident, and kept alive by the one quality that no superior technology has been able to replicate.

It works for everyone.

PärPod