Be careful – very careful! – when logging in to any website/service these days if it requires that you go through a two-factor authentication through your mobile device, whether you use Apple or Android devices. The federal government has warned that hackers have committed a breach that could steal your passwords.
The Cybersecurity and Infrastructure Security Agency (CISA) has uncovered cyber espionage conducted by threat actors affiliated with the People’s Republic of China (PRC) government, targeting commercial telecommunications infrastructure. This activity resulted in the theft of customer call records and the compromise of private communications for a small number of high-profile individuals. While relevant to all users, this guidance is specifically aimed at “highly targeted” individuals in senior government or political positions likely to hold information of interest to these threat actors. CISA is issuing this best practice guidance to enhance the protection of mobile communications against exploitation by PRC-affiliated and other malicious cyber actors.
A two-factor authentication (2FA) is a security process that provides a second layer of defense for your online accounts. It requires you to provide two different authentication factors to verify your identity. This means that even if someone manages to steal your password, they will still need access to your second factor (like your phone or another device) to log in.
These are temporary, one-time codes generated and sent to you by services like Netflix and Amazon whenever you try to log on through a new or different device or if you are traveling and log in from an unfamiliar IP. You must enter this code in addition to your password to gain access to an account or system. They add an extra layer of security because the code is time-sensitive and only valid for a short period, making it difficult for hackers to intercept and use.
CISA strongly urges highly targeted individuals to immediately review and apply the “best practices” to protect mobile communications.
“Highly targeted individuals should assume that all communications between mobile devices—including government and personal devices—and internet services are at risk of interception or manipulation,” warned the CISA. “While no single solution eliminates all risks, implementing these best practices significantly enhances protection of sensitive communications against government-affiliated and other malicious cyber actors. Organizations may already have these best practices in place, such as secure communication platforms1 and multifactor authentication (MFA) policies. In cases where organizations do not, apply the following best practices to your mobile devices.”
