Feds Warn SMS Authentication Is Unsafe (gizmodo.com) 88
An anonymous reader quotes a report from Gizmodo: Hackers aligned with the Chinese government have infiltrated U.S. telecommunications infrastructure so deeply that it allowed the interception of unencrypted communications on a number of people, according to reports that first emerged in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen to phone calls and nab text messages, and the penetration has been so extensive they haven't even been booted from the telecom networks yet. The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on best practices for protecting "highly targeted individuals," which includes a new warning (PDF) about text messages.
"Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals," the guidance, which has been posted online, reads. Not every service even allows for multi-factor authentication and sometimes text messages are the only option. But when you have a choice, it's better to use phishing-resistant methods like passkeys or authenticator apps. CISA prefaces its guidance by insisting it's only really speaking about high-value targets. The telecommunications hack mentioned above has been called the "worst hack in our nation's history," according to Sen. Mark Warner (D-VA).
"Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals," the guidance, which has been posted online, reads. Not every service even allows for multi-factor authentication and sometimes text messages are the only option. But when you have a choice, it's better to use phishing-resistant methods like passkeys or authenticator apps. CISA prefaces its guidance by insisting it's only really speaking about high-value targets. The telecommunications hack mentioned above has been called the "worst hack in our nation's history," according to Sen. Mark Warner (D-VA).
Re: The Next 4 Years (Score:1)
SMS MFA (Score:4, Informative)
Can this finally be the death of email / SMS multi-factor authentication?
Please?
Re: (Score:2)
Re: (Score:3)
Why are you putting email and SMS in one bag?
Re: (Score:3)
Because like SMS, most email is also not encrypted, nor are email programs and readers sandboxed.
Re: (Score:2)
Re: (Score:3)
Not likely.
SMS second factor is a convenient way to gather phone numbers of customers in the name of security.
Re: (Score:3)
Not likely.
SMS second factor is a convenient way to gather phone numbers of customers in the name of security.
Which seems to be the point of most of the security theater we get subjected to online. Why the fuck does Google need my physical address? They gonna send me a snail-mail to verify my account now?
Re: (Score:2)
Not sure the benefit of gathering phone numbers will be more valuable than the cost of sending 2FA SMS messages. Phone number info is pretty cheap to get
Re: (Score:2)
Can this finally be the death of email / SMS multi-factor authentication?
Please?
Remember SIM swapping? If social engineering the provider didn't kill it, this won't either.
And the alternative? (Score:2)
Using authenticator apps appears to be the alternative, but I have seen instructions that say that if you lose access to the app, you may lose access to that account.
Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.
Re: (Score:2)
Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.
Well if you get one from one of the usual suspects (Google, Microsoft) they tend of have backup functions with their own platforms. If on Android I would recommend Authenticator Pro (now called Stratum [github.com] it seems). It's open source and has an encrypted local backup feature you can then just move off-device however you wish.
Re: (Score:3)
Well if you get one from one of the usual suspects (Google, Microsoft) they tend of have backup functions with their own platforms.
Which is where the "circular dependency" whoever57 talked about came in. Normally your phone is one of the factors Google uses to authenticate you into your account. This could get really bad if you also used password safe software on your phone.
Re: (Score:2)
Some systems have backup keys for if you lose app access.
Of course those then become a storage liability.
Re: (Score:3)
If you're using an TOTP based auth (and to my knowledge, most of the authentication apps are built on top of TOTP) you should be able to get the secret as a string instead of a QR code, and save the secret somewhere else.
With that said, I agree - you need a backup for the authentication app. Whether it is a list of one-time recovery codes, the ability to register a second authentication app and/or hardware keys.
Otherwise what they're really saying is they'll go along with the appearance of supporting highe
Re: (Score:2)
I always take a screenshot of the QR code and print it out.
THis method works just fine to restore my TOTP accounts into a new phone.
Re: (Score:1)
Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.
Simple home strategy is to have two phones, one that stays in your secure locked safe at home except that when you get new accounts, when you get home you take it out and enrol both phones at the same time using the same QR code.
Re: (Score:3)
Ironically, the best thing for authenticator app "backups" was the iPod Touch. Since it didn't need to have the cellular circuitry, it was a nice little item that not just worked with authenticator apps, but also had decent encryption, and auto-wipe after ten wrong tries. I'm guessing the iPhone SE 3 for around $100-$200 is probably useful for this, but it would be nice to have something that is just designed to be bare bones and thin.
What would be nice if more places offered a way to do restore codes, pe
Re: (Score:2)
You could use a piece of paper in the safe too. Cheaper than a phone and more reliable.
Re: (Score:2)
Authenticator apps need to have a clear backup approach and not one that turns out to have circular dependencies should you lose your phone.
I switched from Authy to 2FAS on my Pixel 5a, for several reasons, including that the latter can export your token info as JSON in either a clear-text or encrypted file for offline backup. I don't have a second Android (or iOS) device, but could stand up a virtual device in, say, Android Studio on Linux, but don't have to go that far. I also just started experimenting with KeePassXC and it supports TOTP tokens and you can copy/paste the Manual Keys for your tokens from the 2FAS JSON file ... I imagine o
Re: (Score:3)
Re: (Score:2)
The same phone that has been pwned by the Chinese?
Nothing beats in person.
Re: (Score:2)
Re: (Score:2)
Ok grandpa, let's get you to bed after we drive to the bank to get more checks for grocery shopping
Re: (Score:2)
Also, there is still a sizable number of people, mostly elderly, who don't have smartphones, and couldn't figure out how to use an authenticator app if their life depended on it. What's the alternative for them?
Re: (Score:2)
In IT, I have had users like that. I gave them a keyfob, told them to just type their username, password, and after their password, type in the digits. This worked well enough, not just for older people, but people who didn't want authentication on a smartphone.
Re: (Score:2)
Good luck getting the banks to start handing out key fobs to older people so they don't have to use SMS.
Re: (Score:2)
Good luck getting the banks to start handing out key fobs to older people so they don't have to use SMS.
This, a thousand times this. The Commonwealth Bank used to issue key fobs, but now insists on using SMS, which since the shutdown of 3G in my area doesn't work in my home office (in a decent sized urban area.) SMS is also not guaranteed to work overseas, even if you pay the ten dollar PER DAY international roaming charge. Does the bank give a fuck? No, they insist on using SMS, even though it is insecure and unreliable. I'd be 100% happy to revert to over the counter banking but the dirty scum are trying to
Re: (Score:2)
If you're steamed about international roaming charges, you should check out one of the pay-as-you-go carriers like Boost Mobile. Their international roaming fee is $20 per month. https://www.boostmobile.com/gl... [boostmobile.com] In addition, their monthly cell service starts at $25, with no pile of extra fees each month. https://www.boostmobile.com/pl... [boostmobile.com]. The other carriers like Consumer Cellular, Mint, Straight Talk, and Cricket all offer similar rates. I've been using prepaid cellular for years, and see NO reason to pay
Re: (Score:2)
Thanks for the recommendation of Boost. For now when I travel I am using a prepaid SIM I picked up during a layover at Helsinki airport for 5 euros. I need to put a couple of Euros on it every 6 months, but otherwise it seems pretty good, except for in the USA. I just couldn't get it to work there.
The brand is "DNA Mobile." The website has an English setting and I didn't have any problems getting it set up. Note that you do need to activate the SIM while you're on finish soil, so don't just buy one during t
Re: (Score:2)
Denmark has fully transitioned to the same device based 2-factor for all banks.
You can pick either an app on your phone or a key fob. You can even add multiple devices if you prefer, fobs or phone apps.
Re: (Score:2)
Nice.
In the US, something like this would require WAY too much regulation, our incoming administration would never allow such a requirement. We can't even get our FCC to enforce authentication for phone calls, to block unvalidated spammers or caller ID spoofing.
Re: (Score:2)
Good luck getting the banks to start handing out key fobs to older people so they don't have to use SMS.
My UK bank ships a card reader to customers for 2FA. The website gives you a code, you insert your credit or debit card into the reader, unlock it with the PIN, enter the code from the website, then finally, put the resulting number back into the box on the website. This is a fairly involved procedure, but it only does this for new payees.
When using the cellphone app, it required me to take a photo of my head. I don't think the bank has anything to compare this to, but at least there is a record in the case
Re: And the alternative? (Score:2)
Want a blank stare? Ask soneone when they did their last backup.
Re: (Score:2)
You hit the nail on the head. A while back, I was using one app which only synced, but didn't offer backups. It synced corrupted data and destroyed all my 2FA codes. Were it not for an offline device, I would have been hosed.
There are PW managers that have good backups and Google TOTP/HOTP support. 1Password, BitWarden, KeePass variants (Strongbox), and others. All of which have some sort of backup/export mechanism that can export stuff as .CSV or .JSON format. I use one PW manager for passwords, a se
Re: (Score:2)
They do. HOTP uses a shared secret key. These days that's often shared with you as a QR code. You can a) keep a copy of that QR code b) keep a copy of the secret key itself, or c) generate either whenever you need from your authenticator app. Google Authenticator will generate the QR codes if you ask it. If your app doesn't, get another app.
In addition, lots of HOTP/TOTP based systems also use another backup method, like a set of random one time use passwords. The "recovery codes" you're supposed to write d
Re: (Score:2)
They do. HOTP uses a shared secret key. These days that's often shared with you as a QR code. You can a) keep a copy of that QR code b) keep a copy of the secret key itself, or c) generate either whenever you need from your authenticator app. Google Authenticator will generate the QR codes if you ask it. If your app doesn't, get another app.
In addition, lots of HOTP/TOTP based systems also use another backup method, like a set of random one time use passwords. The "recovery codes" you're supposed to write down and keep safe from Github, for example.
None of these schemes are secure.
Re: (Score:2)
Good luck coming up with a lost password recovery process that's "secure" on your black and white scale. In fact, I can beat you up and take your phone, so the primary process isn't "secure" either.
Re: (Score:2)
Good luck coming up with a lost password recovery process that's "secure" on your black and white scale. In fact, I can beat you up and take your phone, so the primary process isn't "secure" either.
Phishing is the worlds single biggest threat actively being used to compromise data and systems en masse and TOTP offers no protection against it.
Verifier impersonation resistance is the bare minimum required to meaningfully improve real world security outcomes today. It is significantly more important than MFA itself. Single factor password authentication protected by secure authentication algorithms (e.g. ZKP) and SAS is more secure than a multifactor authentication scheme without verifier impersonation
Re: (Score:2)
Sure, because most people don't run TOTP over HTTPS. And because you can't run it in both directions. TOTALLY insecure. Sad.
Re: (Score:2)
Using authenticator apps appears to be the alternative, but I have seen instructions that say that if you lose access to the app, you may lose access to that account.
Client certs are secure, authenticator apps are not.
Re: (Score:2)
I've resorted to always importing TOTP keys using the "enter code manually" option. Simply so I can also record the key (securely) elsewhere. Not really sure how else I can be certain that I'll have access to these codes.
I know that scanning the QR code is much more convenient but all of the apps I've used never give you an option to view the actual key in a portable form.
Wow, what a concept, why didn't any of these companies think of that? Oh that's right, I know why. Because they're enshittifying bast
Lock? (Score:2)
Re: (Score:3)
It means you're not sending a SMS message. You're communicating over an RCS chat.
Re: Lock? (Score:2)
Re: (Score:2)
Messages [google.com] is Google's own messaging app. It defaults to RCS now I think, and if it can't send the message with RCS it will fall back to plain SMS. That's what it used to do for convos with iOS users until Apple recently added RCS support. It also adds read message indicators, and typing indicators so the other person knows when you are typing a message. You can disable these features individually, or disable RCS completely if you want in the settings.
Personally I like it as besides the E2E encrypted thing wh
Re: Lock? (Score:2)
Re: (Score:2)
So if you get 2fa in messages is that safe?
I doubt the 2FA messages are being sent as an RCS convo. They are just SMS from my bank. The Google Messages app uses different coloring to indicate SMS messages vs. RCS Chat messages so you should be able to figure this out.
And then what is the SMS app if not messages?
They are one and the same. Texting via Messages uses RCS Chat protocol when possible (unless you disable it), and SMS when it is not possible to use RCS. It is possible to have a convo that is RCS slip back into SMS if there is an issue with the connection. The app will indicate this wh
Re: (Score:3)
Then the solution is simple. Banks need to upgrade to RCS Chat or some other encrypted communication protocol.
My guess is they won't because there hasn't been a large scale problem. Chinese spies aren't that interested in the average Joe's bank account.
Re: (Score:2)
If you have control of the phone number, you can probably authenticate to RCS as that phone number. Switching to RCS may not save you if the phone company is infiltrated.
Re: (Score:2)
If infiltration has reached that depth, I can't see what any of the suggestions proposed would do to help.
At that point you're probably better off burning it all to the ground and starting again.
Re: (Score:2)
Sim-swapping attacks exist where an attacker convinces the telecom to move the number to a different sim. It just requires a gullible low level customer service person that will make the switch. Fortunately telecoms have been getting better about verifying people and usually require it to be done in person
Re: (Score:2)
End-to-end encryption (e.g. Signal or WhatsApp) still work even if the carrier is compromised. But then you'd be fighting your own government because they want the ability to spy on you.
Re: Lock? (Score:2)
Wouldn't there be a risk be of mitm attacks in such a situation?
Re: (Score:2)
Wouldn't there be a risk be of mitm attacks in such a situation?
If the encryption protocol is designed and implemented correctly, then no. All data that passes through the carrier is encrypted and the carrier does not know the decryption key. Identification of each party is performed with private keys stored on each device. At worst they can prevent the messages from going through.
Re: Lock? (Score:2)
Hmm, definitely something to chew on. Thanks for the explanation!
I've Preferred TOTP For a While (Score:5, Interesting)
Re: (Score:2)
While I prefer TOTP, one of my banks only allows MFA with SMS or a call and another bank doesn't offer MFA at all...
I'm tempted to contact my own bank now and mention this specific government guidance, I have the same SMS MFA deal now. But it seems too soon to expect them to have a real response. As far as the second bank you mention, I would have voted with my wallet (account) long ago, and let them know their lack of security is the reason they were losing my business.
Re: (Score:2)
I haven't had a chance to move everything over to another bank because it's quite a bit of effort since I pay all of my bills from that account. The account had good security for its time when I first opened it but the bank that took it over has obviously fallen way behind. My other excuse is that I'm voting with my wallet on so many other fronts that I haven't gotten
Re: (Score:2)
While I prefer TOTP, one of my banks only allows MFA with SMS or a call and another bank doesn't offer MFA at all, which is why that account now contains the minimal amount of money to pay my bills. TOTP is nice because you can use it on multiple devices, including devices that don't have cellular connections, such as tablets. That way, you have a backup in case you lose your phone or drop it in the turlet.
TOTP has the same problem as SMS offering no protection against verifier impersonation. These schemes should be deemed not fit for purpose and avoided.
Re: (Score:2)
One of the financial institutions I use offers MFA via the Symantec VIP [symantec.com] app, which is their own proprietary wrapper on top of TOTP. I don't like it as a proprietary solution - particularly when bog-standard TOTP is perfectly good and supported by lots of non-proprietary apps. I've seen chatter online about being able to extract the shared secret via some scripts, then import that into a stand
Re: (Score:2)
One of the financial institutions I use offers MFA via the Symantec VIP app, which is their own proprietary wrapper on top of TOTP. I don't like it as a proprietary solution - particularly when bog-standard TOTP is perfectly good and supported by lots of non-proprietary apps. I've seen chatter online about being able to extract the shared secret via some scripts, then import that into a standard TOTP app, but haven't tried yet.
Also not secure. The same problem mentioned in TFA for SMS "SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals" applies to all of these solutions (e.g. hacks) as well.
Fiasco (Score:5, Insightful)
This current fiasco aside, I've been saying this basically since "2FA" became a thing. Not that anyone listens to me. It does very little to actually secure a password-protected account. It makes those accounts LESS secure, not more, since SIM cloning and other (mostly social engineering) vulnerabilities are practically trivial for a determined attacker, which is another whole discussion.
If the problem is that people reuse and choose weak passwords (it mostly is) and forget them (which they do) then enforce a password length of 12 characters without any specific character requirements, and that's it, or even better make them pick four at least four-letter-words and tell them to remember the words or write them down and store securely, and have another method (involving a human) to authenticate the account in the event of a lost password. If you must use "2FA" use email, not SMS. It's still not great, but it's somewhat better. Authenticator apps are fine, so use those if you must. And for God's sake don't require password changes! Let them pick a strong password and keep it until *they* want to change it!
Re: (Score:2)
I'm sorry, could you please repeat that? I wasn't listening.
Re: (Score:3)
You can't b
Re: (Score:2)
You're probably right about at least some Auth apps, though the simple time-based ones should be reasonably secure. I totally agree that "MFA" is mostly corporate ass-covering, which is why you see it bolted on to systems that still have monumentally stupid things like MAXIMUM password lengths of 12 characters (I shit you not) and regular enforced password changes, which are things that any security professional would have told you not to do decades ago.
Re: (Score:2)
...still have monumentally stupid things like MAXIMUM password lengths of 12 characters (I shit you not) ...
Oh, I know. My passwords frequently hit that limit. Often, I'll be like, "I don't care about this account. It's just going to end up as a throwaway. Let me set a whatever password." And I'll hit that limit.
2016 (Score:5, Insightful)
People have been getting their crypto wallets stolen this way for almost a decade, with SS7 hijacking and sim-swap attacks.
Glad the feds noticed nine years later. /s
Re: (Score:2)
Why do you assume it took nine years? For all we know, they've known all along. Don't make the mistake of thinking they care about crimes committed against you.
Re: (Score:2)
No, it's easier than that.
The attacker would simply need to try to log in (or reset a password) as you, if they know or can guess your login name. When the system sends an SMS code, if the attacker can somehow obtain that code through SMS eavesdropping, they can then apply the code that was sent to you.
In other words, they don't have to tie YOUR web browser session to your SMS code, they just have to tie THEIR web browser session to your SMS code.
"phishing resistant"? (Score:1)
Whatever its other failings, how is SMS somehow uniquely "not phishing resistant"?
If someone could phish an SMS code out of you, couldn't they phish an Authenticator code out of you?
no shit Sherlock (Score:2)
We've been saying that for 15 fucking years. But DC is finally embarrassed, and all of a sudden the feds care about our (the little people) security. Fucking perfect.
how is this "hack" still a thing? (Score:2)
so.. entire government, law enforcement agencies, intel agencies, telecoms are aware of this and have been for a while now... still unresolved outside of- don't use sms 2fa, or regular calls/text when working for government...
THAT IS NOT A SOLUTION.
most banks/government agencies don't even support anything other than sms 2fa... and won't implement for a while...
how is this not fixed yet? I realize it's not as simple as writing a software patch and pressing upgrade... but seriously... "worst hack in history
Re: (Score:2)
Re: (Score:2)
I get that it is insecure... but this "hack" is nation states gaining access to the telco infrastructure to intercept them at will. How have they not closed off that access?
Is it because it's the same access the LEO's use to intercept/wiretap calls during investigations? or is this some new fundamental design flaw in the US telcos being abused to gain access?
This breach should not STILL be happening.
Re: (Score:2)
Good to know that Apple is either Google or a carrier.
Re: (Score:2)
We have the technology (Score:2)
The propaganda begins (Score:2)
It maybe the worst leak in US history. It is definitely not the 'worst' hack/intrusion.
Re: (Score:2)
"worst hack in our nation's history" (Score:2)
has been called the "worst hack in our nation's history," according to Sen. Mark Warner (D-VA).
And yet beyond issuing some 'advisory' exactly nothing will be done. No real consequences for the bad actor.
This is the problem with the whole integration to prevent conflict argument. It does not prevent conflict, it changes the way conflict is conducted. Importantly it changes biases it toward things like espionage where we can't leverage things like the superior arms we do have. Its great for China, not so great for America. The response to the telecom hack should have something swift and shocking,