Hide your texts to protect more than juicy gossip
By default, most smartphones display the first few words of incoming text messages on the phone’s lock screen. You should absolutely, 100% change that default setting. Allowing incoming texts to be readable on the lock screen is a gaping security hole.
One reason, apart from snoops being able to read your messages, is that your texts may contain multi-factor authentication (MFA) codes. These codes are usually six-digit numbers that a company sends you when you try to log into an online account.
Why should you protect your lock screen?
Imagine that someone gets hold of not only your phone, but also one of your username and password combinations (they are incredibly cheap to buy on the dark web). If you allow preview text on the lock screen, that bad guy now has access to MFA codes sent by SMS or email, meaning they have a front door to your account.
Even if you remotely lock your phone, which you would if it were lost or stolen, all the hacker needs to do is remove the SIM card (assuming you have a physical one, not an eSIM) and insert it into a new one telephone. Then they again have access to incoming texts.
Here’s what to do: Change the default setting on your phone to hide previews of incoming text messages and emails. Second, you should consider changing the method you use for MFA to something other than one-time passwords sent via SMS.
The image in the middle shows an incoming text message with its contents hidden. The images on the left and right show similar notifications from Gmail and Messages with a preview of the message visible. (Credit: PCMag)
How to hide text messages and emails from the lock screen
On your iPhone, go to Settings > Messages > Notifications. Look for a section called Lock Screen Appearance. Tap Show Previews and select Never. It’s the same for email: Go to Settings and then choose your email app; then select Notifications and turn off the Show previews option.
Or, if you want to hide all apps from showing content on the lock screen, go to Notifications > Show previews > Never. If you choose this option, you won’t see much detail from any app when you get notifications. You will only see the app’s name, icon, received time and an indication that you have a notification. So, for example, if you want your app to tell you from the lock screen the license plate number of the car picking you up, don’t use this general method of hiding notification previews.
Every Android phone is a little different, so the exact steps to hide messages on your locked phone or in your messaging app may vary.
If you just want to hide the content of text messages, open your Messages app and go to Settings > Notifications > Notification settings in the app. Look for the Preview new messages option and turn it off.
There is another option that is even more secure. You can hide the contents of everyone alerts, not just messages. Doing so will prevent people from seeing snippets of incoming emails and other potentially personal information. Go to Settings > Notifications and check Sensitive alerts. Turn it off. Now only the app name and arrival time of new messages are displayed on the lock screen, not the content of the notifications.
Change your MFA method
Hiding the content of incoming messages is one way to protect your privacy and be a little safer online. Another option I recommend in addition to hiding your text messages is to change how you authenticate yourself. Getting a code via text or email isn’t the only way to do it. With some accounts, you can choose the method. (That said, not all companies will give you an option. Some will insist on sending codes via text or email, which is why hiding the preview of incoming messages on your phone is so important.)
All of the security experts at PCMag wholeheartedly recommend using multi-factor authentication where available. However, choosing codes sent via SMS is not the safest option. It is better to use an authenticator app or a physical security key.
Authenticator apps generate a code, much like the code you might get via SMS, but it’s generated right on your phone, making it more secure than a code sent wirelessly to your SIM card. As mentioned, anyone with your SIM card can get these codes, or the codes can be intercepted in transit. That is not the case with an authenticator app. Some examples of authenticator apps are Google Authenticator, LastPass Authenticator, and Twilio Authy. They are all free and there is not too much difference between them.
Physical security keys
A physical security key is among the most secure ways to authenticate yourself. These keys are small devices you carry with you that authenticate your identity. Only you hold your key. The dongle interacts with your devices in a number of ways, depending on exactly what type of dongle you have, such as connecting to a USB-C or other port or through near-field communication.
Your key is unique to you and requires no batteries, internet connection or moving parts to function. Our favorite security key at the moment is the Yubico YubiKey 5C NFC because it can work with almost any device and it retails for a reasonable price ($55), although there are good options for more like $20.
It’s better to stay on top of your privacy than clean up a mess later
Taking small steps to protect your privacy and keep your online accounts secure is undoubtedly preferable to cleaning up a security disaster after it happens. Hiding your text messages and using secure forms of MFA do more to protect you than you might realize. For example, a few years ago Google required employees to use physical keys for MFA, and account takeovers effectively dropped to zero. Don’t underestimate an ounce of prevention, especially when it comes to your online security.
If you’ve recently been hacked, read up on what to do now (or bookmark the article for when you or a friend need it).
Do you like what you read?
Sign up SecurityWatch newsletter for our best privacy and security stories delivered straight to your inbox.