Do you use text messages for multi-factor authentication? Maybe you should switch to a different method, especially with everything we’re learning about the recent hack dubbed “the worst in our nation’s history.” The federal government is even issuing warnings now, including calling on government officials to use only encrypted apps for communications.
Hackers allied with the Chinese government infiltrated U.S. communications infrastructure so deeply that it allowed the interception of a number of people’s unencrypted communications, according to reports that first emerged in 2018. October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen in on phone calls and seize text messages, and the hack was so widespread that they have not been booted from telecom networks yet.
The Cybersecurity and Infrastructure Security Agency (CISA) released guidance this week on best practices for protecting “highly targeted individuals,” which includes New warning About text messages.
“Do not use SMS as a second factor of authentication. SMS are not encrypted and can be read by a threat actor with access to a telecom provider’s network who intercepts them. SMS MFA is not phishing-resistant, so it is not strong authentication for individual accounts highly targeted,” the directive, which was posted online, said.
Not all services allow multi-factor authentication, and sometimes text messages are the only option. But when you have a choice, it’s best to use phishing-resistant methods like passkeys or… Authentication applications. CISA prefaces its guidance by insisting that it only talks about high-value targets.
Incredibly, even the FBI has come out in favor Use encryptionwhich perhaps speaks to how dangerous this intrusion into the communications infrastructure of the United States is. The FBI has a very long history of opposing encryption of any kind, at least without providing some sort of backdoor through which law enforcement can pass. Apps like Signal provide end-to-end encryption for messaging, though it doesn’t make it impossible to hack.
“Adopt a free messaging app for secure communications that ensures end-to-end encryption, such as Signal or similar apps,” CISA said in its new guidance. “CISA recommends an end-to-end encrypted messaging application that is compatible with both iPhone and Android operating systems, allowing for cross-platform text messaging interoperability. Such applications may also provide clients for MacOS, Windows, Linux, and sometimes the Web.
There has been criticism of both the federal government and telecommunications companies for not taking Salt Typhoon seriously enough. Senator Mark Warner, a Democrat from Virginia, spoke with The Washington Post and New York Times Back in late November about the threat and raised the alarm. But there was a lingering question about what the average person could do about any of it. The answer seems to be that ordinary people can heed the advice of agencies like CISA when they make announcements tailored to high-profile individuals.
https://gizmodo.com/app/uploads/2024/12/telecom-towers-utah.jpg
Source link