Feds warn SMS authentication is unsafe after ‘worst hack in our nation’s history’

Do you use text messages for multi-factor authentication? You should probably switch to another method, especially with everything we’re learning about a recent hack that’s been called “the worst in our nation’s history.” Even the federal government is already issuing warnings, including a call for government officials to use only encrypted apps for communication.

Hackers linked to the Chinese government have penetrated the US telecommunications infrastructure so deeply that they are allowing the interception of unencrypted communications of a number of people, according to reports that first appeared in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen in on phone calls and intercept text messages, and the penetration was so extensive that they haven’t even been launched by telecom networks yet.

The Cyber ​​Security and Infrastructure Security Agency (CISA) issued guidance this week on best practice for protecting “highly targeted individuals”, which includes another warning about text messages.

“Don’t use SMS as a second authentication factor. SMS messages are not encrypted – a threat with access to a telecom service provider’s network that intercepts these messages can read them. SMS MFA is not phishing-resistant and therefore not strong authentication for highly targeted accounts,” said the guide, which was posted online.

Not every service even allows multi-factor authentication, and sometimes text messages are the only option. But when you have a choice, it’s better to use phishing-resistant methods like passwords or authentication applications. CISA prefaces its guidance by insisting that it is really only talking about high-value targets.

Incredibly, even the FBI came out to approve use of encryptionwhich perhaps speaks to how serious this intrusion into the US telecom infrastructure has become. The FBI has a very long history of opposing any kind of encryption, at least not providing some kind of backdoor that law enforcement can walk right through. Apps like Signal provide end-to-end encryption for messages, but they don’t make it impossible to hack.

“Adopt a free messaging app for secure communications that ensures end-to-end encryption, such as Signal or similar apps,” CISA said in its new guidelines. “CISA recommends an end-to-end encrypted messaging application that is compatible with both the iPhone and Android operating systems, enabling cross-platform text messaging interoperability. Such applications may also offer clients for MacOS, Windows, and Linux, and sometimes for the Web.

There has been criticism of both the federal government and telecommunications companies for not taking Typhoon Salt seriously enough. Senator Mark Warner, Democrat of Virginia, spoke with The Washington Post and New York Times already at the end of November about the threat and raised the alarm. But the question remains what the common man can do about it. The answer seems to be that ordinary people can heed the advice of agencies such as CISA when making communications intended for dignitaries.