Posted on 12/28/2024 3:29:42 AM PST by bitt
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS-CISA) released an issuance entitled “Mobile Communications Best Practice Guidance” on December 18, 2024.
From the classic cybersecurity practitioner’s perspective, it was full of technical guidance on how to make the mobile computing environment secure.
Having been part of the combined, inter-agency response team for several broad enterprise breaches over the past 20 years, my interest was piqued.
These documents take months and months of analysis, staffing, and inter-agency approval before publishing. Reading through the DHS CISA document, there were several flags that began to jump out at me.
First, the guidance was complex from even the cybersecurity expert’s point of view, much less the average, typical user of mobile computing and smartphones.
Second, the document did not reference any of the “Typhoon” series of Chinese intrusions that were first revealed by Microsoft in May of 2023.
And third, after years of lecturing everyone on the merits and virtues of 2FA (Two Factor Authentication) there was a sentence that belied panic.
The lead was buried in the third point of guidance: “Do not use SMS as a second factor for authentication.”
(Excerpt) Read more at thegatewaypundit.com ...
p
Bears repeating: DO NOT USE SMS (text messages) FOR MFA!
It is trivially easy for threat actors, esp. nation states, to steal access to your mobile number through SIM swapping. There are recent high-profile breaches where threat actors went into brick-and-mortar cell provider storefronts and paid exorbitant amounts of money to bottom-rung salespeople to create SIM cards for accounts they don’t own. Why wouldn’t some schlub making $12/hr. fork over some SIM cards to someone paying thousands or tens of thousands of dollars.
The bad guys now have your phone, and anything where you’re using SMS to get into something important, they have the code to login. There are some additional industry-specific considerations here that CISA isn’t discussing, which is a concern, but NIST has been anti-SMS and phone since 2015.
If you’re proactive it wouldn’t happen.
When you’re pathetic at your job, have blinders on and are more concerned about gender and skin color then shxt happens on your watch.
That is great article, I hope President Trump is tough on China in every way.
China has had their way with the USA for 4 years as this compromised trashy Obama/Brennan/Biden administration has turned a blind eye to our being abused.
They should ask Hunter why the Chinese are doing this.
I fear the number of CCP Sleeper cells in all our telecommunication firms thanks to these destructive H 1 Visa programs .
Quick, Elon. Let’s outsource more and give even more crucial tech jobs to foreigners!
DHS getting ready to turn our lights out before Jan 20th?
Q:what do you call a government that encourages deep penetration of an unwilling victim? A: an accessory to rape.
What is MFA?
When we gave all our secrets to China, well, duh, what’d Clinton think would happen?
Trump needs to be tough on China BUT Musk and Vivek need to shut down a lot of these so called ‘institutions’ that don’t do crap beyond pay themselves and stir the pot for democrats. Homeland, FEMA, DOJ and several others are a total waste of money. Close them down and create something new with better incentive, a sane ‘business’ culture, and ZERO “Didn’t Earn It” DEI employees.
Here is the full guidance on MFA from the report being cited; the section quoted is addressing “highly targeted individuals”:
* * *
https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf
3. Migrate away from Short Message Service (SMS)-based MFA.
Do not use SMS as a second factor for
authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication
provider’s network who intercepts these messages can read them. SMS MFA is not phishing-resistant
and is therefore not strong authentication for accounts of highly targeted individuals.
Note: Some online services may default to SMS during account recovery flows; it may not be feasible
for you to completely eliminate SMS messages from the service.
For less valuable accounts, use other forms of MFA such as authenticator codes. Set up these
accounts with a free authenticator application for MFA, such as Google Authenticator, Microsoft
Authenticator, or Authy.
Note: While authenticator codes are better than SMS, they are still vulnerable to phishing. Only
FIDO authentication is phishing-resistant.
Once enrolled, disable SMS for each account. Enrollment in authenticator-based MFA does not
automatically unenroll the account’s SMS. This can create a weak, exploitable fallback mechanism
that can be exploited by threat actors.
It seems no one listened to the SMS MFA issue. Everyone still does it because everyone else still does it.
Can’t disagree with any of that comment, other than to say Vivek and Elon only have input and no authority. So, they have to be very sure of their proposals and very influential in their presentations, to get bipartisan support they will need to succeed.
Multifactor Authentication, also known as Two-Factor Authentication. It's the process where you provide a secondary form of identification for you to login to your account such as a token code from an app on your phone in addition to your password.
Thx...I knew TFA...mfa stumped me...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.