Mobile users in the US should swiftly move away from using unencrypted SMS and adopt phishing-resistant multifactor authentication (MFA), the latest guidance from the US Cybersecurity and Infrastructure Security Agency (CISA) has urged.
The guidance was prompted by the threat posed by Chinese-affiliated threat groups, including Salt Typhoon. This advanced persistent threat (APT) group recently targeted at least eight US telecommunications firms in a massive cyber espionage campaign.
CISA advised highly targeted individuals, those in senior government or senior political positions, to stop sending text messages using the unencrypted SMS protocol and adopt an end-to-end encrypted messaging app like Signal instead.
The Agency also recommended moving away from SMS-based MFA and replacing it with phishing-resistant MFA, choosing from the various FIDO2-enabled options listed by the Fast Identity Online (FIDO) Alliance. Users should enable MFA across all their services, mainly social media and services provided by Microsoft, Google and Apple.
“For Gmail users, enroll in Google’s Advanced Protection (APP) program, as it strengthens your defenses against phishing and account hijacking,” added the Agency.
Other recommendations include:
- Using a password manager
- Setting an additional PIN or passcode for your mobile phone account
- Updating software and applications regularly
- Avoid personal virtual private networks (VPNs)
“Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface. Many free and commercial VPN providers have questionable security and privacy policies,” the Agency added. “However, if your organization requires a VPN client to access its data, that is a different use case.”
The guidance also outlined specific security recommendations for iPhone and Android phone users.
These include enabling Apple’s Lockdown Mode and Google Play Protect, enrolling in Apple iCloud Private Relay and configuring Android Private Domain Name System (DNS) to use a trusted resolver, such as Cloudflare’s 1.1.1.1Resolver, Google’s 8.8.8.8 Resolver, and Quad9’s 9.9.9.9 Resolver.