New ask Hacker News story: Tell HN: China has all your SMS 2FA
Tell HN: China has all your SMS 2FA
3 by 0xbadcafebee | 0 comments on Hacker News.
As has been posted on HN recently[1], US officials are urging Americans to use encrypted apps for communication, as China has become deeply embedded in the American telecom system. The extent of the compromise is so deep that they don't know when they can remove all the Chinese hackers. It occurred to me as I was trying to log into a financial website that the default 2FA method was still SMS. SMS is famously not secure over telecom networks. But with the rise of this Chinese hack of American telecom systems, it seems clear that China has had access to all our SMS 2FA codes. And they will continue to have access for an undetermined amount of time. So this is a reminder that, if you're in the USA, and you use SMS 2FA, there's little stopping China from taking over your account. (Typically accounts are taken over by hackers by using account recovery steps, like secret answers [which are predictable]. But compromised, reused, or phished passwords also allow account compromise. 2FA is supposed to make this harder, but if they can read all your 2FA codes, we're back to "just passwords" and all their flaws) Please ask whoever you do business with to prioritize moving away from SMS 2FA, towards something else, like TOTP [which is flawed, but not nearly as flawed as SMS] or Passkeys. [1] https://ift.tt/ygVQBGF
3 by 0xbadcafebee | 0 comments on Hacker News.
As has been posted on HN recently[1], US officials are urging Americans to use encrypted apps for communication, as China has become deeply embedded in the American telecom system. The extent of the compromise is so deep that they don't know when they can remove all the Chinese hackers. It occurred to me as I was trying to log into a financial website that the default 2FA method was still SMS. SMS is famously not secure over telecom networks. But with the rise of this Chinese hack of American telecom systems, it seems clear that China has had access to all our SMS 2FA codes. And they will continue to have access for an undetermined amount of time. So this is a reminder that, if you're in the USA, and you use SMS 2FA, there's little stopping China from taking over your account. (Typically accounts are taken over by hackers by using account recovery steps, like secret answers [which are predictable]. But compromised, reused, or phished passwords also allow account compromise. 2FA is supposed to make this harder, but if they can read all your 2FA codes, we're back to "just passwords" and all their flaws) Please ask whoever you do business with to prioritize moving away from SMS 2FA, towards something else, like TOTP [which is flawed, but not nearly as flawed as SMS] or Passkeys. [1] https://ift.tt/ygVQBGF
Comments
Post a Comment