Feds Warn SMS Authentication Is Unsafe (gizmodo.com) 55
An anonymous reader quotes a report from Gizmodo: Hackers aligned with the Chinese government have infiltrated U.S. telecommunications infrastructure so deeply that it allowed the interception of unencrypted communications on a number of people, according to reports that first emerged in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen to phone calls and nab text messages, and the penetration has been so extensive they haven't even been booted from the telecom networks yet. The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on best practices for protecting "highly targeted individuals," which includes a new warning (PDF) about text messages.
"Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals," the guidance, which has been posted online, reads. Not every service even allows for multi-factor authentication and sometimes text messages are the only option. But when you have a choice, it's better to use phishing-resistant methods like passkeys or authenticator apps. CISA prefaces its guidance by insisting it's only really speaking about high-value targets. The telecommunications hack mentioned above has been called the "worst hack in our nation's history," according to Sen. Mark Warner (D-VA).
"Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals," the guidance, which has been posted online, reads. Not every service even allows for multi-factor authentication and sometimes text messages are the only option. But when you have a choice, it's better to use phishing-resistant methods like passkeys or authenticator apps. CISA prefaces its guidance by insisting it's only really speaking about high-value targets. The telecommunications hack mentioned above has been called the "worst hack in our nation's history," according to Sen. Mark Warner (D-VA).
SMS MFA (Score:4, Informative)
Can this finally be the death of email / SMS multi-factor authentication?
Please?
Re: (Score:2)
Re: (Score:3)
Why are you putting email and SMS in one bag?
Re: (Score:2)
Because like SMS, most email is also not encrypted, nor are email programs and readers sandboxed.
Re: (Score:2)
And the alternative? (Score:2)
Using authenticator apps appears to be the alternative, but I have seen instructions that say that if you lose access to the app, you may lose access to that account.
Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.
Re: (Score:2)
Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.
Well if you get one from one of the usual suspects (Google, Microsoft) they tend of have backup functions with their own platforms. If on Android I would recommend Authenticator Pro (now called Stratum [github.com] it seems). It's open source and has an encrypted local backup feature you can then just move off-device however you wish.
Re: (Score:3)
Well if you get one from one of the usual suspects (Google, Microsoft) they tend of have backup functions with their own platforms.
Which is where the "circular dependency" whoever57 talked about came in. Normally your phone is one of the factors Google uses to authenticate you into your account. This could get really bad if you also used password safe software on your phone.
Re: (Score:2)
Some systems have backup keys for if you lose app access.
Of course those then become a storage liability.
Re: (Score:3)
If you're using an TOTP based auth (and to my knowledge, most of the authentication apps are built on top of TOTP) you should be able to get the secret as a string instead of a QR code, and save the secret somewhere else.
With that said, I agree - you need a backup for the authentication app. Whether it is a list of one-time recovery codes, the ability to register a second authentication app and/or hardware keys.
Otherwise what they're really saying is they'll go along with the appearance of supporting highe
Re: (Score:1)
Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.
Simple home strategy is to have two phones, one that stays in your secure locked safe at home except that when you get new accounts, when you get home you take it out and enrol both phones at the same time using the same QR code.
Re: (Score:2)
Ironically, the best thing for authenticator app "backups" was the iPod Touch. Since it didn't need to have the cellular circuitry, it was a nice little item that not just worked with authenticator apps, but also had decent encryption, and auto-wipe after ten wrong tries. I'm guessing the iPhone SE 3 for around $100-$200 is probably useful for this, but it would be nice to have something that is just designed to be bare bones and thin.
What would be nice if more places offered a way to do restore codes, pe
Re: (Score:2)
You could use a piece of paper in the safe too. Cheaper than a phone and more reliable.
Re: (Score:2)
Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.
I switched from Authy to 2FAS on my Pixel 5a, for several reasons, including that the latter can export your token info as JSON in either a clear-text or encrypted file for offline backup. I don't have a second Android (or iOS) device, but could stand up a virtual device in, say, Android Studio on Linux, but don't have to go that far. I also just started experimenting with KeePassXC and it supports TOTP tokens and you can copy/paste the Manual Keys for your tokens from the 2FAS JSON file ... I imagine o
Re: (Score:3)
Re: (Score:2)
The same phone that has been pwned by the Chinese?
Nothing beats in person.
Re: (Score:2)
Also, there is still a sizable number of people, mostly elderly, who don't have smartphones, and couldn't figure out how to use an authenticator app if their life depended on it. What's the alternative for them?
Re: (Score:2)
In IT, I have had users like that. I gave them a keyfob, told them to just type their username, password, and after their password, type in the digits. This worked well enough, not just for older people, but people who didn't want authentication on a smartphone.
Re: (Score:2)
Good luck getting the banks to start handing out key fobs to older people so they don't have to use SMS.
Re: (Score:2)
Good luck getting the banks to start handing out key fobs to older people so they don't have to use SMS.
This, a thousand times this. The Commonwealth Bank used to issue key fobs, but now insists on using SMS, which since the shutdown of 3G in my area doesn't work in my home office (in a decent sized urban area.) SMS is also not guaranteed to work overseas, even if you pay the ten dollar PER DAY international roaming charge. Does the bank give a fuck? No, they insist on using SMS, even though it is insecure and unreliable. I'd be 100% happy to revert to over the counter banking but the dirty scum are trying to
Re: And the alternative? (Score:2)
Want a blank stare? Ask soneone when they did their last backup.
Re: (Score:2)
You hit the nail on the head. A while back, I was using one app which only synced, but didn't offer backups. It synced corrupted data and destroyed all my 2FA codes. Were it not for an offline device, I would have been hosed.
There are PW managers that have good backups and Google TOTP/HOTP support. 1Password, BitWarden, KeePass variants (Strongbox), and others. All of which have some sort of backup/export mechanism that can export stuff as .CSV or .JSON format. I use one PW manager for passwords, a se
Re: (Score:2)
They do. HOTP uses a shared secret key. These days that's often shared with you as a QR code. You can a) keep a copy of that QR code b) keep a copy of the secret key itself, or c) generate either whenever you need from your authenticator app. Google Authenticator will generate the QR codes if you ask it. If your app doesn't, get another app.
In addition, lots of HOTP/TOTP based systems also use another backup method, like a set of random one time use passwords. The "recovery codes" you're supposed to write d
Re: (Score:2)
They do. HOTP uses a shared secret key. These days that's often shared with you as a QR code. You can a) keep a copy of that QR code b) keep a copy of the secret key itself, or c) generate either whenever you need from your authenticator app. Google Authenticator will generate the QR codes if you ask it. If your app doesn't, get another app.
In addition, lots of HOTP/TOTP based systems also use another backup method, like a set of random one time use passwords. The "recovery codes" you're supposed to write down and keep safe from Github, for example.
None of these schemes are secure.
Re: (Score:2)
Using authenticator apps appears to be the alternative, but I have seen instructions that say that if you lose access to the app, you may lose access to that account.
Client certs are secure, authenticator apps are not.
Lock? (Score:2)
Re: (Score:3)
It means you're not sending a SMS message. You're communicating over an RCS chat.
Re: Lock? (Score:2)
Re: (Score:2)
Messages [google.com] is Google's own messaging app. It defaults to RCS now I think, and if it can't send the message with RCS it will fall back to plain SMS. That's what it used to do for convos with iOS users until Apple recently added RCS support. It also adds read message indicators, and typing indicators so the other person knows when you are typing a message. You can disable these features individually, or disable RCS completely if you want in the settings.
Personally I like it as besides the E2E encrypted thing wh
Re: Lock? (Score:2)
Re: (Score:2)
So if you get 2fa in messages is that safe?
I doubt the 2FA messages are being sent as an RCS convo. They are just SMS from my bank. The Google Messages app uses different coloring to indicate SMS messages vs. RCS Chat messages so you should be able to figure this out.
And then what is the SMS app if not messages?
They are one and the same. Texting via Messages uses RCS Chat protocol when possible (unless you disable it), and SMS when it is not possible to use RCS. It is possible to have a convo that is RCS slip back into SMS if there is an issue with the connection. The app will indicate this wh
Re: (Score:2)
Then the solution is simple. Banks need to upgrade to RCS Chat or some other encrypted communication protocol.
My guess is they won't because there hasn't been a large scale problem. Chinese spies aren't that interested in the average Joe's bank account.
I've Preferred TOTP For a While (Score:5, Interesting)
Re: (Score:2)
While I prefer TOTP, one of my banks only allows MFA with SMS or a call and another bank doesn't offer MFA at all...
I'm tempted to contact my own bank now and mention this specific government guidance, I have the same SMS MFA deal now. But it seems too soon to expect them to have a real response. As far as the second bank you mention, I would have voted with my wallet (account) long ago, and let them know their lack of security is the reason they were losing my business.
Re: (Score:2)
I haven't had a chance to move everything over to another bank because it's quite a bit of effort since I pay all of my bills from that account. The account had good security for its time when I first opened it but the bank that took it over has obviously fallen way behind. My other excuse is that I'm voting with my wallet on so many other fronts that I haven't gotten
Re: (Score:2)
While I prefer TOTP, one of my banks only allows MFA with SMS or a call and another bank doesn't offer MFA at all, which is why that account now contains the minimal amount of money to pay my bills. TOTP is nice because you can use it on multiple devices, including devices that don't have cellular connections, such as tablets. That way, you have a backup in case you lose your phone or drop it in the turlet.
TOTP has the same problem as SMS offering no protection against verifier impersonation. These schemes should be deemed not fit for purpose and avoided.
Fiasco (Score:5, Insightful)
This current fiasco aside, I've been saying this basically since "2FA" became a thing. Not that anyone listens to me. It does very little to actually secure a password-protected account. It makes those accounts LESS secure, not more, since SIM cloning and other (mostly social engineering) vulnerabilities are practically trivial for a determined attacker, which is another whole discussion.
If the problem is that people reuse and choose weak passwords (it mostly is) and forget them (which they do) then enforce a password length of 12 characters without any specific character requirements, and that's it, or even better make them pick four at least four-letter-words and tell them to remember the words or write them down and store securely, and have another method (involving a human) to authenticate the account in the event of a lost password. If you must use "2FA" use email, not SMS. It's still not great, but it's somewhat better. Authenticator apps are fine, so use those if you must. And for God's sake don't require password changes! Let them pick a strong password and keep it until *they* want to change it!
Re: (Score:2)
I'm sorry, could you please repeat that? I wasn't listening.
Re: (Score:2)
You can't b
2016 (Score:4, Insightful)
People have been getting their crypto wallets stolen this way for almost a decade, with SS7 hijacking and sim-swap attacks.
Glad the feds noticed nine years later. /s
Re: (Score:2)
Why do you assume it took nine years? For all we know, they've known all along. Don't make the mistake of thinking they care about crimes committed against you.
Re: (Score:2)
No, it's easier than that.
The attacker would simply need to try to log in (or reset a password) as you, if they know or can guess your login name. When the system sends an SMS code, if the attacker can somehow obtain that code through SMS eavesdropping, they can then apply the code that was sent to you.
In other words, they don't have to tie YOUR web browser session to your SMS code, they just have to tie THEIR web browser session to your SMS code.
"phishing resistant"? (Score:1)
Whatever its other failings, how is SMS somehow uniquely "not phishing resistant"?
If someone could phish an SMS code out of you, couldn't they phish an Authenticator code out of you?
no shit Sherlock (Score:2)
We've been saying that for 15 fucking years. But DC is finally embarrassed, and all of a sudden the feds care about our (the little people) security. Fucking perfect.
how is this "hack" still a thing? (Score:2)
so.. entire government, law enforcement agencies, intel agencies, telecoms are aware of this and have been for a while now... still unresolved outside of- don't use sms 2fa, or regular calls/text when working for government...
THAT IS NOT A SOLUTION.
most banks/government agencies don't even support anything other than sms 2fa... and won't implement for a while...
how is this not fixed yet? I realize it's not as simple as writing a software patch and pressing upgrade... but seriously... "worst hack in history
Re: (Score:2)
Re: (Score:2)
I get that it is insecure... but this "hack" is nation states gaining access to the telco infrastructure to intercept them at will. How have they not closed off that access?
Is it because it's the same access the LEO's use to intercept/wiretap calls during investigations? or is this some new fundamental design flaw in the US telcos being abused to gain access?
This breach should not STILL be happening.
Re: (Score:2)
Good to know that Apple is either Google or a carrier.
We have the technology (Score:2)
The propaganda begins (Score:2)
It maybe the worst leak in US history. It is definitely not the 'worst' hack/intrusion.