Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News Editorials & Other Articles General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

bucolic_frolic

(47,572 posts)
Fri Dec 20, 2024, 06:24 AM Friday

Feds Warn SMS Authentication Is Unsafe After 'Worst Hack in Our Nation's History'

This discussion thread was locked as off-topic by Lasher (a host of the The DU Lounge forum).

Note: I don't know how to categorize the authentication methods I use. Do I use an app? I don't know. I login, they text a code. I think that's the risk they're talking about.
_______________

Feds Warn SMS Authentication Is Unsafe After ‘Worst Hack in Our Nation’s History’

https://gizmodo.com/feds-warn-sms-authentication-is-unsafe-after-worst-hack-in-our-nations-history-2000541129

Do you use text messages for multi-factor authentication? You should probably switch to a different method, especially with everything we’re learning about a recent hack that’s been dubbed the “worst in our nation’s history.” Even the federal government is putting out warnings now, including a call for government officials to only use encrypted apps for communication.

Hackers aligned with the Chinese government have infiltrated U.S. telecommunications infrastructure so deeply that it allowed the interception of unencrypted communications on a number of people, according to reports that first emerged in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen to phone calls and nab text messages, and the penetration has been so extensive they haven’t even been booted from the telecom networks yet.

The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on best practices for protecting “highly targeted individuals,” which includes a new warning about text messages.

“Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals,” the guidance, which has been posted online, reads.

_______ More More MORE at the link

9 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
Feds Warn SMS Authentication Is Unsafe After 'Worst Hack in Our Nation's History' (Original Post) bucolic_frolic Friday OP
Bring it. OldBaldy1701E Friday #1
Two factor authentication is bullshit anyway. intheflow Friday #2
It's totally not bullshit LearnedHand Friday #4
It's a PITA. intheflow Friday #7
Here's how to understand the warning LearnedHand Friday #3
These days I'm not feeling so much like an ignorant Luddite for not using a smartphone. Midnight Writer Friday #5
And the EU is wanting Apple to open up all of its IOS to all developers. This I presume would include LiberalArkie Friday #6
Well, if somebody else rates my GrubHub order, I'll know I've been hacked. catbyte Friday #8
Locking. Lasher Friday #9

OldBaldy1701E

(6,609 posts)
1. Bring it.
Fri Dec 20, 2024, 07:48 AM
Friday

I have nothing and I am nothing. If the Chinese want to spy on me, feel free. They want to steal my identity? Go for it, big guy! Then the harassment calls can start going to you! Not to mention what would happen to their 'credit rating'!

intheflow

(29,053 posts)
2. Two factor authentication is bullshit anyway.
Fri Dec 20, 2024, 08:03 AM
Friday

Like, just because I’m trying to access my email from my sister’s computer I’m locked out awaiting two factor authentication, which they want to send to my phone even though I have correctly entered my password. However, my phone is dead or left at home, so I can’t get in my email. The other authentication option offered is to send an email - to another account that I’ll be locked out of. I’m a public librarian and this scenario plays out almost daily with patrons. 😡

LearnedHand

(4,221 posts)
4. It's totally not bullshit
Fri Dec 20, 2024, 08:23 AM
Friday

It might be a bit of a pain for users but it's absolutely strong protection for you and your accounts.

intheflow

(29,053 posts)
7. It's a PITA.
Fri Dec 20, 2024, 09:23 AM
Friday

Last edited Fri Dec 20, 2024, 10:16 AM - Edit history (1)

It assumes a level of access to tech and tech competencies that many people don’t have. If you need to access email to get, say, a copy of your birth certificate, but you set up your account 5 years ago and haven’t touched it since, and the phone number you gave isn’t even your phone number anymore, it's more than useless. It’s a major impediment for a lot of people needing to access urgent information. It’s classist. This is my near-daily firsthand experience. YMMV.

LearnedHand

(4,221 posts)
3. Here's how to understand the warning
Fri Dec 20, 2024, 08:22 AM
Friday
iPhone to iPhone is encrypted (safe)

Android to Android is encrypted if the texting app on both devices uses the RCS protocol

Cross-platform texting via native apps is unencrypted and thus unsafe

The FBI recommends encrypted third-party apps for cross-platform texting. This includes Signal, WhatsApp, and (I think) Facebook Messenger.

Midnight Writer

(23,126 posts)
5. These days I'm not feeling so much like an ignorant Luddite for not using a smartphone.
Fri Dec 20, 2024, 08:24 AM
Friday

Landlines rule!

LiberalArkie

(16,655 posts)
6. And the EU is wanting Apple to open up all of its IOS to all developers. This I presume would include
Fri Dec 20, 2024, 08:33 AM
Friday

the "keys to the kingdom". The crypto keys that prevent this in their own apps.

SMS is not encrypted because every device and developer needs access to it, so even if it was encrypted everyone would have to have the keys to decrypt the messages as it is an open platform.

catbyte

(35,982 posts)
8. Well, if somebody else rates my GrubHub order, I'll know I've been hacked.
Fri Dec 20, 2024, 10:42 AM
Friday

They'd be bored stiff with my texts but have at it.

I don't use text messages to authenticate anything important

Lasher

(28,446 posts)
9. Locking.
Fri Dec 20, 2024, 11:36 AM
Friday

We believe this OP is better suited to the GD Forum. Please repost it there.

Latest Discussions»The DU Lounge»Feds Warn SMS Authenticat...