The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory warning against the continued use of SMS-based two-factor authentication (2FA) on mobile devices, citing multiple security vulnerabilities that could compromise user accounts. The advisory follows a series of recent telecommunications breaches that have highlighted the growing risks of SMS-based security measures.
The agencies identified several key vulnerabilities in SMS-based 2FA systems, including the transmission of messages in clear text, making them susceptible to interception by attackers. SIM swapping attacks, where criminals convince mobile carriers to transfer a victim’s phone number to a new SIM card, represent another significant threat vector. These attacks have become increasingly sophisticated, as demonstrated by a recent nationwide fraud scheme that led to multiple federal indictments.
Technical vulnerabilities in the telecommunications infrastructure, particularly the Signaling System 7 (SS7) protocol, can enable hackers to redirect SMS messages. Additionally, SMS-based 2FA remains vulnerable to phishing attacks, as users can be manipulated into revealing their authentication codes.
The warning comes in the context of a major telecommunications breach dubbed “Salt Typhoon,” which has affected major U.S. carriers including AT&T, T-Mobile, and Verizon. The breach, allegedly linked to Chinese actors, has enabled the interception of non-encrypted SMS messages.
“We cannot say with certainty that the adversary has been evicted. We’re tracking them, but we cannot confidently claim we know everything,” said Jeff Greene, Executive Assistant Director for Cybersecurity at CISA.
As alternatives to SMS-based 2FA, the agencies recommend several more secure authentication methods. These include encrypted messaging platforms like Signal and WhatsApp, dedicated authentication apps, and FIDO authentication standards, which are supported by major technology companies including Apple, Google, and Microsoft. The FIDO Alliance has made significant progress in recent years, with major tech companies committing to cross-platform support for passwordless authentication.
The agencies also advocate for a multi-layered security approach that combines encrypted platforms with multi-factor authentication to protect against unauthorized access and SIM-swapping attacks. The recommendation marks a shift away from traditional SMS-based methods toward more robust security protocols, matching recent initiatives from mobile carriers who have begun implementing additional security measures, including network-based API solutions to combat fraud and enhance authentication security.
Sources: Mobile ID World, Slashdot, The Yeshiva World
Follow Us