Feds Warn SMS Authentication Is Unsafe (gizmodo.com)
- Reference: 0175704333
- News link: https://tech.slashdot.org/story/24/12/19/2132228/feds-warn-sms-authentication-is-unsafe
- Source link: https://gizmodo.com/feds-warn-sms-authentication-is-unsafe-after-worst-hack-in-our-nations-history-2000541129
> Hackers aligned with the Chinese government have infiltrated U.S. telecommunications infrastructure so deeply that it allowed the interception of unencrypted communications on a number of people, according to reports that first emerged in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen to phone calls and nab text messages, and the penetration has been so extensive they haven't even been booted from the telecom networks yet. The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on best practices for protecting "highly targeted individuals," which includes a [1]new warning (PDF) about text messages.
>
> "Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore [2]not strong authentication for accounts of highly targeted individuals ," the guidance, which has been posted online, reads. Not every service even allows for multi-factor authentication and sometimes text messages are the only option. But when you have a choice, it's better to use phishing-resistant methods like passkeys or authenticator apps. CISA prefaces its guidance by insisting it's only really speaking about high-value targets.
The telecommunications hack mentioned above has been called the " [3]worst hack in our nation's history ," according to Sen. Mark Warner (D-VA).
[1] https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf
[2] https://gizmodo.com/feds-warn-sms-authentication-is-unsafe-after-worst-hack-in-our-nations-history-2000541129
[3] https://yro.slashdot.org/story/24/11/22/2336254/china-wiretaps-americans-in-worst-hack-in-our-nations-history
And the alternative? (Score:2)
Using authenticator apps appears to be the alternative, but I have seen instructions that say that if you lose access to the app, you may lose access to that account.
Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.
Re: (Score:2)
> Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.
Well if you get one from one of the usual suspects (Google, Microsoft) they tend of have backup functions with their own platforms. If on Android I would recommend Authenticator Pro (now called [1]Stratum [github.com] it seems). It's open source and has an encrypted local backup feature you can then just move off-device however you wish.
[1] https://github.com/stratumauth/app
Re: (Score:2)
Some systems have backup keys for if you lose app access.
Of course those then become a storage liability.
Re: (Score:2)
If you're using an TOTP based auth (and to my knowledge, most of the authentication apps are built on top of TOTP) you should be able to get the secret as a string instead of a QR code, and save the secret somewhere else.
With that said, I agree - you need a backup for the authentication app. Whether it is a list of one-time recovery codes, the ability to register a second authentication app and/or hardware keys.
Otherwise what they're really saying is they'll go along with the appearance of supporting highe
Lock? (Score:2)
If SMS messages aren't encrypted, then what does the lock mean when you send the message??
Re: (Score:3)
It means you're not sending a SMS message. You're communicating over an RCS chat.
Re: Lock? (Score:2)
Then how do you send an SMS on Android? Is "messages" not SMS?
I've Preferred TOTP For a While (Score:4, Interesting)
While I prefer TOTP, one of my banks only allows MFA with SMS or a call and another bank doesn't offer MFA at all, which is why that account now contains the minimal amount of money to pay my bills. TOTP is nice because you can use it on multiple devices, including devices that don't have cellular connections, such as tablets. That way, you have a backup in case you lose your phone or drop it in the turlet.
Re: (Score:2)
> While I prefer TOTP, one of my banks only allows MFA with SMS or a call and another bank doesn't offer MFA at all...
I'm tempted to contact my own bank now and mention this specific government guidance, I have the same SMS MFA deal now. But it seems too soon to expect them to have a real response. As far as the second bank you mention, I would have voted with my wallet (account) long ago, and let them know their lack of security is the reason they were losing my business.
Fiasco (Score:3)
This current fiasco aside, I've been saying this basically since "2FA" became a thing. Not that anyone listens to me. It does very little to actually secure a password-protected account. It makes those accounts LESS secure, not more, since SIM cloning and other (mostly social engineering) vulnerabilities are practically trivial for a determined attacker, which is another whole discussion.
If the problem is that people reuse and choose weak passwords (it mostly is) and forget them (which they do) then enforce a password length of 12 characters without any specific character requirements, and that's it, or even better make them pick four at least four-letter-words and tell them to remember the words or write them down and store securely, and have another method (involving a human) to authenticate the account in the event of a lost password. If you must use "2FA" use email, not SMS. It's still not great, but it's somewhat better. Authenticator apps are fine, so use those if you must. And for God's sake don't require password changes! Let them pick a strong password and keep it until *they* want to change it!
2016 (Score:2)
People have been getting their crypto wallets stolen this way for almost a decade, with SS7 hijacking and sim-swap attacks.
Glad the feds noticed nine years later. /s
SMS MFA (Score:1)
Can this finally be the death of email / SMS multi-factor authentication?
Please?
Re: (Score:2)
Instead they will want it to be the death of non-biometric ID.