Do you use text messages for multi-factor authentication? You should probably switch to a different method, especially with everything we’re learning about a recent hack that’s been dubbed the “worst in our nation’s history.” Even the federal government is putting out warnings now, including a call for government officials to only use encrypted apps for communication.
Hackers aligned with the Chinese government have infiltrated U.S. telecommunications infrastructure so deeply that it allowed the interception of unencrypted communications on a number of people, according to reports that first emerged in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen to phone calls and nab text messages, and the penetration has been so extensive they haven’t even been booted from the telecom networks yet.
The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on best practices for protecting “highly targeted individuals,” which includes a new warning about text messages.
“Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals,” the guidance, which has been posted online, reads.
Not every service even allows for multi-factor authentication and sometimes text messages are the only option. But when you have a choice, it’s better to use phishing-resistant methods like passkeys or authenticator apps. CISA prefaces its guidance by insisting it’s only really speaking about high-value targets.
Incredibly, even the FBI has come out to endorse the use of encryption, which perhaps speaks to just how serious this intrusion into U.S. telecom infrastructure has become. The FBI has a very long history of opposing encryption of any kind, at least without providing some kind of backdoor that law enforcement can walk right through. Apps like Signal provide end-to-end encryption for messaging, though they don’t make it impossible to be hacked.
“Adopt a free messaging application for secure communications that guarantees end-to-end encryption, such as Signal or similar apps,” CISA said in its new guidance. “CISA recommends an end-to-end encrypted messaging app that is compatible with both iPhone and Android operating systems, allowing for text message interoperability across platforms. Such apps may also offer clients for MacOS, Windows, and Linux, and sometimes the web.”
There has been criticism of both the federal government and telecom companies for not taking Salt Typhoon seriously enough. Sen. Mark Warner, a Democrat from Virginia, spoke with the Washington Post and New York Times back in late November about the threat and sounded the alarm. But there has been the lingering question of what the average person can do about any of it. The answer, it seems, is that regular people can heed the advice of agencies like CISA when they make announcements intended for high-profile individuals.
Read the full article here