*** begin quote ***
“The company that routes SMS for all major US carriers was hacked for five years. It isn’t revealing whether or not messages were exposed, but it’s just another reason not to use SMS for 2FA.”
*** end quote ***
So for the average layman, it means that if any service provider texts codes to your phone as a way of security your account, they are at risk of a security breach.
I’ve begin communicating with the providers I use putting them on notice that (1) they are using a insecure technology to secure my account; and (2) when do they plan to switch to a phone based authentication technology or something better.
Now, if they say they use GOOGLE or APPLE authenticator, you can point out that those too are insecure by design. Since a hack of either high profile target, will make you vulnerable.
Using the “home grown” authenticator, (something written by the service provider like IDME), doesn’t have the transparency of the source code to assure security.
Any “home grown” authenticator, Google, orApple authenticators does NOT separate the necessary sufficient controls for good Information Security.
Suggest you tell them support AUTHY or other third party authenticators. This is more secure because the “key” is only held by them and by you locally on your phone.
Or if they really want to protect you, they can give you are hardware token like YUBIKEY or a hardware authenticator like SECURE_ID.
—30—
Reinke Faces Life 