The DU Lounge
Related: Culture Forums, Support ForumsFeds Warn SMS Authentication Is Unsafe After 'Worst Hack in Our Nation's History'
This discussion thread was locked as off-topic by Lasher (a host of the The DU Lounge forum).
Note: I don't know how to categorize the authentication methods I use. Do I use an app? I don't know. I login, they text a code. I think that's the risk they're talking about.
_______________
Feds Warn SMS Authentication Is Unsafe After Worst Hack in Our Nations History
https://gizmodo.com/feds-warn-sms-authentication-is-unsafe-after-worst-hack-in-our-nations-history-2000541129
Do you use text messages for multi-factor authentication? You should probably switch to a different method, especially with everything were learning about a recent hack thats been dubbed the worst in our nations history. Even the federal government is putting out warnings now, including a call for government officials to only use encrypted apps for communication.
Hackers aligned with the Chinese government have infiltrated U.S. telecommunications infrastructure so deeply that it allowed the interception of unencrypted communications on a number of people, according to reports that first emerged in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen to phone calls and nab text messages, and the penetration has been so extensive they havent even been booted from the telecom networks yet.
The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on best practices for protecting highly targeted individuals, which includes a new warning about text messages.
Do not use SMS as a second factor for authentication. SMS messages are not encrypteda threat actor with access to a telecommunication providers network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals, the guidance, which has been posted online, reads.
_______ More More MORE at the link
OldBaldy1701E
(6,609 posts)I have nothing and I am nothing. If the Chinese want to spy on me, feel free. They want to steal my identity? Go for it, big guy! Then the harassment calls can start going to you! Not to mention what would happen to their 'credit rating'!
intheflow
(29,053 posts)Like, just because Im trying to access my email from my sisters computer Im locked out awaiting two factor authentication, which they want to send to my phone even though I have correctly entered my password. However, my phone is dead or left at home, so I cant get in my email. The other authentication option offered is to send an email - to another account that Ill be locked out of. Im a public librarian and this scenario plays out almost daily with patrons. 😡
LearnedHand
(4,221 posts)It might be a bit of a pain for users but it's absolutely strong protection for you and your accounts.
intheflow
(29,053 posts)Last edited Fri Dec 20, 2024, 10:16 AM - Edit history (1)
It assumes a level of access to tech and tech competencies that many people dont have. If you need to access email to get, say, a copy of your birth certificate, but you set up your account 5 years ago and havent touched it since, and the phone number you gave isnt even your phone number anymore, it's more than useless. Its a major impediment for a lot of people needing to access urgent information. Its classist. This is my near-daily firsthand experience. YMMV.
LearnedHand
(4,221 posts)iPhone to iPhone is encrypted (safe)
Android to Android is encrypted if the texting app on both devices uses the RCS protocol
Cross-platform texting via native apps is unencrypted and thus unsafe
The FBI recommends encrypted third-party apps for cross-platform texting. This includes Signal, WhatsApp, and (I think) Facebook Messenger.
Midnight Writer
(23,126 posts)Landlines rule!
LiberalArkie
(16,655 posts)the "keys to the kingdom". The crypto keys that prevent this in their own apps.
SMS is not encrypted because every device and developer needs access to it, so even if it was encrypted everyone would have to have the keys to decrypt the messages as it is an open platform.
catbyte
(35,982 posts)They'd be bored stiff with my texts but have at it.
I don't use text messages to authenticate anything important
Lasher
(28,446 posts)We believe this OP is better suited to the GD Forum. Please repost it there.