A new warning from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) in December 2024 is making waves and causing many businesses to re-evaluate a central aspect of their cybersecurity strategy. This new warning somewhat invalidates advice we’ve given on this blog before, so we think it’s important to get the word out to our clients and readers.
Here’s what the FBI and CISA are warning about — and what the implications might look like for your business.
The Warning: Stop Texting
The tl;dr of the FBI’s warning is this: stop texting. (At least, stop texting anything you don’t want going public.)
If this sounds a little familiar, don’t tune out yet: yes, various government agencies have issued similar warnings in the past, but this one’s different. In the past, the warning was pretty general: text messages aren’t all that secure, so it’s possible that they could be intercepted if someone had the right technology and enough motivation.
This time, the US government is warning that state-aligned hackers in China (a group called Salt Typhoon) have started attacking US telecoms. They are working to steal user data and even record phone calls (though recording seems rare at this point).
In other words, this type of attack has changed from theoretical to real.
Two Specific Risks
Security researchers and government representatives note two specific risks associated with business use of text messaging: one is plain ol’ business espionage, and the other is the threat of compromised two-factor authentication (2FA).
Let’s take a look at these two risks and two corresponding solutions.
Risk #1: Business Espionage
First up, if state-affiliated hackers are in the systems of the telecom carrier your business uses, it’s possible that your text conversations could be compromised.
Worse, the same could be true even if your telecom is secure: if anyone you’re texting is using a different, compromised telecom, your text threads could be as public as a Twitter/X feed.
Now, SMS messages have never been a secure medium, but they feel pretty private. The difference now is that we have pretty strong evidence someone’s actively snooping.
Solution #1: Stop Texting Business Information
The solution to this risk? Don’t send business communications over SMS.
The things you might be tempted to text about can be sent another way. Similar apps with end-to-end encryption include Whatsapp, Telegram, and even Facebook Messenger. Most information shared over text could also be swapped over to Slack, Microsoft Teams, or whichever other secure collaboration platform your business uses.
It might feel like a disruption or inconvenience to move your comms to a secure channel, but it’s worth the effort. Your business’s security is worth it
Risk #2: Compromised 2FA
The second risk here is unfortunately something that many in the tech space, ourselves included, have actually recommended as a security upgrade in the past.
Two-factor authentication is any sign-in method that requires, well, two factors of authentication. The easiest way to set this up is with a username and password (that’s the first factor) and a separate, randomly generated alphanumeric string (that’s the second factor).
And the easiest way to set up this kind of 2FA is using text messages. This makes sense: if you know your username and password and have access to your smartphone (to retrieve the temporary code), then you’re a lot more likely to be you.
The problem is, if systems are compromised to a point that someone could intercept that SMS code, then all they need to access an account is a username and password.
In other words, this type of 2FA is theoretically no more secure than the old username and password by itself.
Solution #2: Change 2FA/MFA Method
The solution here is relatively straightforward: stop using SMS messages for 2FA.
There are other options that are more secure, including using an encrypted authenticator app or a physical key fob. Other more complex multifactor (MFA) methods are solid options, too.
Need help reconfiguring systems or performing a security audit? We’re here to help. Reach out anytime.