Federal Authorities Urge Caution Regarding SMS Verification Following Largest-Ever Cyber Attack in U.S. History
Do you rely on text messages for multi-factor authentication? It might be wise to switch methods, given the severity of a recent hack dubbed the "worst in our country's history." Even official warnings are being issued by the government, recommending that government officials use encrypted applications for communication.
Reports suggest that hackers, allegedly backed by the Chinese government, have successfully infiltrated U.S. telecommunications infrastructure to such an extent that they could intercept unencrypted communications of numerous individuals. This operation, named Salt Typhoon, reportedly allowed them to listen to phone calls and steal text messages. Despite their presence in these networks, they have yet to be removed.
This week, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance on protecting "highly targeted individuals." Included in this advice was a new warning about using SMS for two-factor authentication.
According to this guidance, which can be found online, SMS messages are not encrypted. A threat actor with access to a telecommunications provider's network could intercept these messages and read their contents. SMS is not resistant to phishing attacks, making it a weak form of authentication for high-value targets.
While not all services offer multi-factor authentication, and SMS might be the only option in some cases, it's better to use phishing-resistant methods like passkeys or authenticator apps when possible.
Even the FBI has endorsed the use of encryption, a stand that speaks volumes about the gravity of this telecommunications infrastructure intrusion. The FBI has historically opposed any form of encryption, unless a backdoor is provided for law enforcement. Apps like Signal offer end-to-end encryption for messaging, although they do not make it impossible to hack.
CISA advises adopting a free messaging application that guarantees end-to-end encryption, such as Signal or similar apps. It recommends an app that is compatible with both iPhone and Android operating systems, allowing for text message interoperability across platforms. Such apps may also offer clients for MacOS, Windows, and Linux, and sometimes even for web browsers.
Criticism has been leveled at both the federal government and telecom companies for not taking the Salt Typhoon threat seriously enough. Sen. Mark Warner, a Democrat from Virginia, discussed the threat with major publications like the Washington Post and the New York Times in late November, and sounded the alarm. However, it remains unclear what the average person can do to protect themselves from this ongoing threat. It seems that regular individuals can simply follow the advice of agencies like CISA when they issue announcements intended for high-profile individuals.
Given the vulnerabilities in SMS-based two-factor authentication, as highlighted by the Cybersecurity and Infrastructure Security Agency, it's crucial to consider utilizing more secure tech such as passkeys or authenticator apps for multi-factor authentication in the future. The recent Salt Typhoon operation has demonstrated the potential risks of relying on unencrypted SMS messages for communication and authentication, highlighting the need for technological advancements in this area.
