[Taipei, Taiwan] [2025.01.13] In the wake of what FBI officials have called “the worst hack in our nation’s history,” the Cybersecurity and Infrastructure Security Agency (CISA) has issued a stern warning against the use of SMS-based authentication codes, emphasizing their vulnerability to phishing and other advanced attacks. This announcement is part of a broader effort to encourage businesses, organizations, and individuals to adopt more secure, phishing-resistant authentication methods such as passkeys or authenticator apps.
Background: The Salt Typhoon Incident*
The catalyst for this incident is the recent “Salt Typhoon” cyberattack, a Chinese espionage program that resulted in a unprecedented breach, exploiting U.S. internet service provider systems used by law enforcement to facilitate CALEA requests for court-authorized wiretapping. The Salt Typhoon cyberattack demonstrated how attackers are capable of intercepting SMS one-time passwords (OTPs) to abuse systemic vulnerabilities in SMS-based authentication methods, gain unauthorized access to critical systems, exposing sensitive data and causing widespread disruptions.
The Core Issue: SS7 Protocol Flaws
At the heart of SMS vulnerabilities lies the Signaling System 7 (SS7) protocol, a decades-old telecommunications standard used to route calls and messages. While SS7 is integral to global communication networks, its inherent design flaws allow hackers to intercept text messages, bypassing SMS OTP security measures. This flaw, combined with the growing sophistication of phishing techniques, renders SMS authentication increasingly unsafe.
CISA’s Call to Action**
CISA has outlined the following critical measures to mitigate risks:
- Transition to Phishing-Resistant Methods: Organizations are urged to adopt secure authentication alternatives, such as:
- Passkeys: Cryptographically protected credentials stored on trusted devices.
- Authenticator Apps: Generate time-based OTPs that are not transmitted over vulnerable channels.
- Eliminate SMS for Recovery and 2FA: SMS should not be used for account recovery, binding codes, two-factor authentication (2FA), or any other password-related purposes. These functions should rely on end-to-end encrypted, phishing-resistant solutions.
- Educate Users: Businesses and institutions must educate their users about the risks associated with SMS-based security and provide clear guidance on adopting more secure practices.
Consequences of SMS OTP frauds
The reliance on SMS OTP authentication exposes individuals and organizations to a wide range of risks:
- Account Takeover (ATO): Attackers can exploit intercepted SMS OTPs to gain unauthorized access to personal and business accounts, leading to identity theft, financial loss, and reputational damage.
- Data Exfiltration: Once inside a compromised system, attackers can extract sensitive data, including trade secrets, personal information, and financial records.
- Infrastructure Attacks: Critical systems relying on SMS OTP for authentication are vulnerable to disruption, as seen in the Salt Typhoon attack, which compromised essential infrastructure and services.
- Escalation of Privileges: Intercepting SMS OTPs can allow attackers to bypass initial security measures and escalate their access within a network, amplifying the potential for harm.
- Increased Recovery Costs: Remediating the damage caused by SMS OTP-related breaches often involves significant financial and operational costs, including forensic investigations, legal fees, and system overhauls.
Looking Ahead
As cyber threats continue to evolve, the need for robust, secure authentication methods has never been greater. By embracing end-to-end encrypted, phishing-resistant technologies, organizations can safeguard against future attacks and protect the integrity of their systems and data.
Keypasco authentication Solution
Keypasco authentication solutions can eliminate “all” risks a SMS OTP fraud could cause, as referred above. Our product features below highlights:
- Only the right user in person can log in from his personal associated devices, from the predefined location and time periods.
- Our product infrastructure incorporates none distributed credentials, hence, no identity to steal.
- Separate service-access channel and encrypted authentication channel that mitigates Man in the Middle attacks (MiTM), Man in the Browser attacks (MiTB), ID theft, phishing attacks, and Account Takeover (ATO).
- Smooth and secure recovery by personal NFC devices.
- Sign What You See via Keypasco app on associated mobile device.
- Easy mass enrollment while being more cost efficient than traditional SMS OTP method.
Contact Us
Contact [Cheng I Lin] at [chengi@lydsec.com] for more information on secure authentication practices and to understand how your business can benefit from it.
Citation:
*https://www.newsweek.com/iphone-android-users-texting-cyberattack-1996429
**https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf