The FBI is warning Americans to exercise extreme caution when texting between Androids and iPhones after one of the largest data breaches in U.S. history was recently discovered, impacting millions of people. “Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them,” says the Cybersecurity and Infrastructure Security Agency (CISA) in a recent memo. Here’s what customers need to know.
RELATED: 17 Things That Make You a Target for Scammers.
Ongoing Breach
Shutterstock
Dubbed “Salt Typhoon”, hackers affiliated with the Chinese government reportedly hacked into AT&T, T-Mobile, Verizon Wireless, and other telecoms companies in the U.S. and worldwide to spy on high-profile individuals. The breach is a “very, very serious matter” that is “still going on,” Homeland Security Secretary Alejandro Mayorkas told MSNBC.
Use Encrypted Messaging, Not SMS
iStockOfficials are recommending the use of encrypted messaging platforms to avoid sending SMS texts. "Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible, if not really hard, for them to detect it. So our advice is to try to avoid using plain text," Jeff Greene, CISA's executive assistant director for cybersecurity, tells NPR. Telegram, WhatsApp, and Signal are all good choices for encrypted messaging apps.
New Guidelines
ShutterstockThe new guidelines are no surprise for experts who have been warning about these potential breaches. "People have been talking about things like this for years in the computer security community," Jason Hong, a professor at Carnegie Mellon University's School of Computer Science, told NPR. "You should not rely on these kinds of unencrypted communications because of this exact reason: There could be snoopers in lots of infrastructure."
RELATED: Is WhatsApp Safe? And How to Use It.
Who Is At Risk?
iStock
The average person is probably not of huge interest to hackers, but should still be incredibly careful about texting personal or sensitive information through SMS. "If you are in business, if you are a journalist, if you are somebody in contact with democracy protesters in Hong Kong or Shenzhen or Tibet, then you might want to assume that your phone calls and text messages are not safe from the Chinese government," Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), tells NPR.
Stop Two-Factor Authentication
Shutterstock
Anyone who has your username and password can monitor your text messages for one-time passcodes and two-factor authentication, Galperin warns. "This is a really serious security risk," she says, advising a physical security key or Google Authenticator/Authy instead.
VPN Risk
iStock
Using a virtual private network (VPN) will not protect you from hackers, the CISA warns. “Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface. Many free and commercial VPN providers have questionable security and privacy policies. However, if your organization requires a VPN client to access its data, that is a different use case.”
