Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Communications Encryption China United States

Feds Warn SMS Authentication Is Unsafe (gizmodo.com) 43

An anonymous reader quotes a report from Gizmodo: Hackers aligned with the Chinese government have infiltrated U.S. telecommunications infrastructure so deeply that it allowed the interception of unencrypted communications on a number of people, according to reports that first emerged in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen to phone calls and nab text messages, and the penetration has been so extensive they haven't even been booted from the telecom networks yet. The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on best practices for protecting "highly targeted individuals," which includes a new warning (PDF) about text messages.

"Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals," the guidance, which has been posted online, reads. Not every service even allows for multi-factor authentication and sometimes text messages are the only option. But when you have a choice, it's better to use phishing-resistant methods like passkeys or authenticator apps. CISA prefaces its guidance by insisting it's only really speaking about high-value targets.
The telecommunications hack mentioned above has been called the "worst hack in our nation's history," according to Sen. Mark Warner (D-VA).

Feds Warn SMS Authentication Is Unsafe

Comments Filter:
  • SMS MFA (Score:3, Informative)

    by Anonymous Coward on Thursday December 19, 2024 @04:47PM (#65026713)

    Can this finally be the death of email / SMS multi-factor authentication?

    Please?

  • Using authenticator apps appears to be the alternative, but I have seen instructions that say that if you lose access to the app, you may lose access to that account.

    Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.

    • by SeaFox ( 739806 )

      Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.

      Well if you get one from one of the usual suspects (Google, Microsoft) they tend of have backup functions with their own platforms. If on Android I would recommend Authenticator Pro (now called Stratum [github.com] it seems). It's open source and has an encrypted local backup feature you can then just move off-device however you wish.

      • Well if you get one from one of the usual suspects (Google, Microsoft) they tend of have backup functions with their own platforms.

        Which is where the "circular dependency" whoever57 talked about came in. Normally your phone is one of the factors Google uses to authenticate you into your account. This could get really bad if you also used password safe software on your phone.

    • Some systems have backup keys for if you lose app access.
      Of course those then become a storage liability.

    • If you're using an TOTP based auth (and to my knowledge, most of the authentication apps are built on top of TOTP) you should be able to get the secret as a string instead of a QR code, and save the secret somewhere else.

      With that said, I agree - you need a backup for the authentication app. Whether it is a list of one-time recovery codes, the ability to register a second authentication app and/or hardware keys.

      Otherwise what they're really saying is they'll go along with the appearance of supporting highe

    • Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.

      Simple home strategy is to have two phones, one that stays in your secure locked safe at home except that when you get new accounts, when you get home you take it out and enrol both phones at the same time using the same QR code.

      • Ironically, the best thing for authenticator app "backups" was the iPod Touch. Since it didn't need to have the cellular circuitry, it was a nice little item that not just worked with authenticator apps, but also had decent encryption, and auto-wipe after ten wrong tries. I'm guessing the iPhone SE 3 for around $100-$200 is probably useful for this, but it would be nice to have something that is just designed to be bare bones and thin.

        What would be nice if more places offered a way to do restore codes, pe

    • Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.

      I switched from Authy to 2FAS on my Pixel 5a, for several reasons, including that the latter can export your token info as JSON in either a clear-text or encrypted file for offline backup. I don't have a second Android (or iOS) device, but could stand up a virtual device in, say, Android Studio on Linux, but don't have to go that far. I also just started experimenting with KeePassXC and it supports TOTP tokens and you can copy/paste the Manual Keys for your tokens from the 2FAS JSON file ... I imagine o

    • by jmccue ( 834797 )
      For me, none. I will not use fingerprints, face scans nor pass keys nor password managers or any thing else like that. That will mean to me it will be back to the old days, in person banking or bank over the phone.
    • Also, there is still a sizable number of people, mostly elderly, who don't have smartphones, and couldn't figure out how to use an authenticator app if their life depended on it. What's the alternative for them?

      • In IT, I have had users like that. I gave them a keyfob, told them to just type their username, password, and after their password, type in the digits. This worked well enough, not just for older people, but people who didn't want authentication on a smartphone.

    • Great sense of humor . You know that nobody does the things they *should* do, right?

      Want a blank stare? Ask soneone when they did their last backup.
    • You hit the nail on the head. A while back, I was using one app which only synced, but didn't offer backups. It synced corrupted data and destroyed all my 2FA codes. Were it not for an offline device, I would have been hosed.

      There are PW managers that have good backups and Google TOTP/HOTP support. 1Password, BitWarden, KeePass variants (Strongbox), and others. All of which have some sort of backup/export mechanism that can export stuff as .CSV or .JSON format. I use one PW manager for passwords, a se

  • If SMS messages aren't encrypted, then what does the lock mean when you send the message??
    • by SeaFox ( 739806 )

      It means you're not sending a SMS message. You're communicating over an RCS chat.

      • Then how do you send an SMS on Android? Is "messages" not SMS?
        • by SeaFox ( 739806 )

          Messages [google.com] is Google's own messaging app. It defaults to RCS now I think, and if it can't send the message with RCS it will fall back to plain SMS. That's what it used to do for convos with iOS users until Apple recently added RCS support. It also adds read message indicators, and typing indicators so the other person knows when you are typing a message. You can disable these features individually, or disable RCS completely if you want in the settings.

          Personally I like it as besides the E2E encrypted thing wh

          • So if you get 2fa in messages is that safe? And then what is the SMS app if not messages?
            • by SeaFox ( 739806 )

              So if you get 2fa in messages is that safe?

              I doubt the 2FA messages are being sent as an RCS convo. They are just SMS from my bank. The Google Messages app uses different coloring to indicate SMS messages vs. RCS Chat messages so you should be able to figure this out.

              And then what is the SMS app if not messages?

              They are one and the same. Texting via Messages uses RCS Chat protocol when possible (unless you disable it), and SMS when it is not possible to use RCS. It is possible to have a convo that is RCS slip back into SMS if there is an issue with the connection. The app will indicate this wh

              • by djinn6 ( 1868030 )

                Then the solution is simple. Banks need to upgrade to RCS Chat or some other encrypted communication protocol.

                My guess is they won't because there hasn't been a large scale problem. Chinese spies aren't that interested in the average Joe's bank account.

  • by organgtool ( 966989 ) on Thursday December 19, 2024 @04:58PM (#65026751)
    While I prefer TOTP, one of my banks only allows MFA with SMS or a call and another bank doesn't offer MFA at all, which is why that account now contains the minimal amount of money to pay my bills. TOTP is nice because you can use it on multiple devices, including devices that don't have cellular connections, such as tablets. That way, you have a backup in case you lose your phone or drop it in the turlet.
    • by SeaFox ( 739806 )

      While I prefer TOTP, one of my banks only allows MFA with SMS or a call and another bank doesn't offer MFA at all...

      I'm tempted to contact my own bank now and mention this specific government guidance, I have the same SMS MFA deal now. But it seems too soon to expect them to have a real response. As far as the second bank you mention, I would have voted with my wallet (account) long ago, and let them know their lack of security is the reason they were losing my business.

      • I would have voted with my wallet (account) long ago, and let them know their lack of security is the reason they were losing my business.

        I haven't had a chance to move everything over to another bank because it's quite a bit of effort since I pay all of my bills from that account. The account had good security for its time when I first opened it but the bank that took it over has obviously fallen way behind. My other excuse is that I'm voting with my wallet on so many other fronts that I haven't gotten

    • While I prefer TOTP, one of my banks only allows MFA with SMS or a call and another bank doesn't offer MFA at all, which is why that account now contains the minimal amount of money to pay my bills. TOTP is nice because you can use it on multiple devices, including devices that don't have cellular connections, such as tablets. That way, you have a backup in case you lose your phone or drop it in the turlet.

      TOTP has the same problem as SMS offering no protection against verifier impersonation. These schemes should be deemed not fit for purpose and avoided.

  • Fiasco (Score:5, Insightful)

    by eriks ( 31863 ) on Thursday December 19, 2024 @05:04PM (#65026763)

    This current fiasco aside, I've been saying this basically since "2FA" became a thing. Not that anyone listens to me. It does very little to actually secure a password-protected account. It makes those accounts LESS secure, not more, since SIM cloning and other (mostly social engineering) vulnerabilities are practically trivial for a determined attacker, which is another whole discussion.

    If the problem is that people reuse and choose weak passwords (it mostly is) and forget them (which they do) then enforce a password length of 12 characters without any specific character requirements, and that's it, or even better make them pick four at least four-letter-words and tell them to remember the words or write them down and store securely, and have another method (involving a human) to authenticate the account in the event of a lost password. If you must use "2FA" use email, not SMS. It's still not great, but it's somewhat better. Authenticator apps are fine, so use those if you must. And for God's sake don't require password changes! Let them pick a strong password and keep it until *they* want to change it!

    • I'm sorry, could you please repeat that? I wasn't listening.

    • My problem is, if hackers are within your communication systems, how much safer are authenticator apps? If they get the initial key string or if they can extract it from your device, you're done either way. The only difference is, you *may* get a notification that someone tried to get your SMS 2FA message if they failed the attempt. Hell, if they have access to your communication systems, why bother with SMS codes or authenticator apps? Why not just grab the access token of an existing session?

      You can't b
  • 2016 (Score:4, Insightful)

    by bill_mcgonigle ( 4333 ) * on Thursday December 19, 2024 @05:49PM (#65026853) Homepage Journal

    People have been getting their crypto wallets stolen this way for almost a decade, with SS7 hijacking and sim-swap attacks.

    Glad the feds noticed nine years later. /s

    • by dfghjk ( 711126 )

      Why do you assume it took nine years? For all we know, they've known all along. Don't make the mistake of thinking they care about crimes committed against you.

  • Whatever its other failings, how is SMS somehow uniquely "not phishing resistant"?

    If someone could phish an SMS code out of you, couldn't they phish an Authenticator code out of you?

  • We've been saying that for 15 fucking years. But DC is finally embarrassed, and all of a sudden the feds care about our (the little people) security. Fucking perfect.

  • so.. entire government, law enforcement agencies, intel agencies, telecoms are aware of this and have been for a while now... still unresolved outside of- don't use sms 2fa, or regular calls/text when working for government...

    THAT IS NOT A SOLUTION.

    most banks/government agencies don't even support anything other than sms 2fa... and won't implement for a while...

    how is this not fixed yet? I realize it's not as simple as writing a software patch and pressing upgrade... but seriously... "worst hack in history

    • by Cyberax ( 705495 )
      SMS is fundamentally insecure because it rides over the SS7 network. RCS can be made secure, with mutual authentication and E2E-encryption. But it's designed to be unusable by everyone except Google and carriers.
      • I get that it is insecure... but this "hack" is nation states gaining access to the telco infrastructure to intercept them at will. How have they not closed off that access?

        Is it because it's the same access the LEO's use to intercept/wiretap calls during investigations? or is this some new fundamental design flaw in the US telcos being abused to gain access?

        This breach should not STILL be happening.

It has just been discovered that research causes cancer in rats.

Working...