An undersold (but not really related to security) feature of eschewing SMS is that you aren't subject to the availability of the mobile network and SMS API that the authenticating service uses. It actually makes the auth procedure more resilient to move away from SMS.
>While applicable to all audiences, this guidance specifically addresses “highly targeted” individuals who are in senior government or senior political positions and likely to possess information of interest to [PRC-affiliated threat actors who hacked telecom networks].
Most people are never going to be targeted by intercepts or even by SIM swaps, and would still be just as vulnerable to phishing if they switched to TOTP. If you want better protection, hardware authenticators and passkeys are the best options.
As someone who's worked in the wireless messaging / telecom industry, the "Salt Typhoon" news came as absolutely no surprise. The major U.S. carriers don't have the capacity or talent to deal with the more mundane threats of spam and scam calls / texts on their network, much less attacks by state-sponsored actors. For instance, there are only a handful of people (i.e., fewer than 5) who work in the wireless messaging (SMS, MMS, RCS) group at each carrier, and while well-intentioned individuals, there is a profound mismatch between their skills and capabilities and the responsibility of managing these telecom channels with massive consumer penetration (compare the 1000's of highly compensated engineers working at WhatsApp, FB Messenger, etc.)
And there's no incentive for the carriers to care. Sure, they get yelled at by Congress and the FCC every now and again, but since they're all roughly in the same boat there's zero competitive advantage for them to invest the tens of millions of dollars+ it would take to build out their security capabilities. Their lobbying arm, the CTIA, is funded by tens of millions of dollars in short-code messaging fees and they have bought an iron grip on the FCC and relevant Congressional committees that ensures any enforcement effors are only a wrist slap. Consumers also largely don't seem to care.
So until something dramatic happens, you should assume that voice and messaging traffic flowing through the U.S. wireless carriers is completely exposed.
The focus in the article seems to be on best practices for banks, businesses, etc, as opposed to consumers, but there are specific tips for owners of Apple and Android phones.
"Do not use SMS as a second factor for authentication." Why? The reason given is that SMS doesn't have end-to-end encryption. Gmail has had end-to-end encryption since December 2022, so I'm thinking that if I'm given a choice between having a verification code texted to me or emailed to me, I should choose the email option.
It also states that SMS is not "phishing-resistant." I've received SMS messages that were phishing attempts at stealing my authentication credentials. It's also possible to re-route SMS messages via SIM swapping, SIM hijacking, or other methods (https://www.schneier.com/blog/archives/2021/03/easy-sms-hija...).
SMS is just not designed to be used as an authentication mechanism. We have more secure mechanisms now.
a private party can deploy a stingray in an urban area and steal your text messages as readily as the sheriff’s department can.
nobody cares about mine, but this could be deployed near a residence where someone’s password or website is breached unbeknownst to them yet.
that could be a situation where they got a sysadmin or CEO or public figure and think they can get even more passwords leaks or breaches out of the target.
my email would be a snooze fest as I don’t have a personal account and don’t mix personal with business. but I do have credentials to lots of other peoples stuff.
which, sometimes due to their own decisions, could be reset from my email I guess.
I don’t use SMS for any of it because I have a non USA phone number which nobody supports anyway.
My main SMS is Google Voice, which (AFAIK, enlighten me otherwise) is immune to most attacks w/o some sort of social engineering.
I just wish it were trusted more, as the number of places that'll let me use it for 2FA is decreasing (but thankfully most of the places I've been Grandfathered in are still working with it).
Yeah, I'm more worried about some random GoogleFlag locking me out of my account than anything else. That being said, unlike most of the public I know a couple of Googlers personally, but it's a shame that I'd even need to be lucky like that.
I can't believe this is not more mainstream. I really appreciate CISA putting it in writing so I can start citing. But seriously, isn't this OBVIOUS?
I was today facing an issue with my BANK because they're locking me out of my account. The reason? I travel around the world and sometimes SMSs won't make it. Also, it's extremely easy to exploit. You can steal someone's phone number with just a bit of social engineering (at least in Europe's carriers). Also, you can steal a phone, remove the sim card, and it'll work anywhere (yes, you can password protect SIM cards, but not everybody does it).
Please don't take this too personally, but this attitude, which I see reasonably frequently, is mind-boggling to me.
The answer to "isn't <insert nearly any infosec> obvious?" is - obviously - no. In fact, lamenting aloud how obvious it is is a form of insecurity, because you are discouraging normal humans from asking questions or seeking advice.
Unless of course you are implicitly referring only to tech-savvy people, but the default audience for end-user infosec advice is all humans.
Business people can ignore security people wanting to improve things. Much harder to ignore the security people saying "Per CISA, our security posture does not meet standards"
Even better when this gets into an audit checklist in 18-24 months and the security person can say "We will fail our next audit if we don't make this change"
The cynic in me supposes that's because they have backdoor access to LastPass and not to bitwarden. Actually, LastPass keeps getting hacked so I just about expect it to be the case.
They're AWS's attempt at a trusted execution environment. So your secrets are decrypted there with slightly more assurance that the platform can't snoop on them.
I wish more focus was placed on this. People need to make informed decisions and understand consequences so they can prepare. It's horrifying to me how, when suggesting solutions that carry this risk to normal people, the tech-savvy will casually omit the fact that, if this poor innocent normal person loses/breaks their device (or if their 2FA fails to transfer when they buy a new phone, WHICH I HAVE HAD HAPPEN TO ME and luckily caught it), they will permanently lose whatever personal data was under that 2FA.
I feel strongly enough about this that I am comfortable calling such irresponsible communication immoral. I'm not saying normal people shouldn't use solutions that have this caveat, but they absolutely need the risk to be made crystal clear to them.
If the data is important enough, e.g. bank accounts, there needs to be a backup to 2FA that is relatively painful - to make it resistant to attack - but not impossible.
