Skip to content
    Quick Links
    CONTACT US
    ,

    Warning! Don’t get your MFA codes via SMS Text Message

    Warning!  Don’t get your MFA codes via SMS Text Message
    4:43
    Picture of Eddie Clark
    3
    min. read
    Warning!  Don’t get your MFA codes via SMS Text Message

    Hopefully by now everyone is using Multifactor Authentication (MFA or 2FA) to secure important logins for things like banking and healthcare portals, as well as other business portals such as Microsoft and Google.  That being the case we need to further secure your MFA mechanism. 

    Thanks to the announcement late last year that Chinese threat actors have infiltrated all Telecom providers in the US , we are now advising you to change your MFA method away from SMS texting to receive your access codes.  Why?  Because those same threat actors can now intercept those codes and compromise the very information you are trying to protect. 

    The very best thing you can do to protect your identity and your PII is to begin using a reputable secure password vault that also stores and rotates your MFA codes.  While there are some freebie versions available, you’ll likely need to pay a small fee every month to get fully featured versions that enable MFA functionality.   

    At Solve iT, we have vetted several of these apps over recent years and settled on Bitwarden for many reasons: 

    • Ease of use 
    • Security Practices of the company 
    • No corporate cybersecurity compromises 
    • Platform flexibility: Windows/Mac/IOS/Android and every internet browser has a plugin 
    • Autofill features (saves a LOT of time and aggravation) 

    We now offer this product in our contract bundle because it also provides a mechanism to address security during employee turnover.  When an employee leaves one of our clients, we can easily shutdown their access to company data and platforms by suspending their Bitwarden account.  When their replacement is onboarded, we can simply transfer the secure vault over to the new employee. 

    Additionally, while we never endorse or promote sharing of logon credentials for any reason, put simply there’s sometimes no way around it.  A corporate account allows for sharing of resources including login credentials in a secure manner.  An example of this is for our marketing team where we have a few portals where creating multiple accounts is not possible or financially feasible.   

    Circling back to the threat posed by the Chinese hackers (dubbed Salt Typhoon), you are now advised to not text your SSN or any passwords unless you are using an end-to-end encrypted messaging service (or texting service).  If you need to send confidential or Personally Identifiable Information (PII), then do it using encrypted email.  Don’t even give that information over the phone because they could be listening. 

    I know this sounds alarming, and frankly, it should alarm not only the reader, but everyone.    I’d like to know how this infiltration occurred and what is being done about it.  Why is this not a major topic of discussion in the news media?  At least Senator Ron Wyden of Oregon has crafted legislation that would put some enforcement in place for laws that were enacted in 1994 called the “Secure American Communications Act”.  This should not be a partisan issue and congress should act NOW.  Telecom providers have been left to their own devices in terms of developing a cyber security posture, and that has failed us as a nation.   

    I am not a proponent of over-regulation, but in some cases, this one specifically, doing nothing has not been an acceptable answer to the threat. 

    Now it appears that our government is willing to pay the telecom providers to replace the Chinese gear that began all of this in the first place... to the tune of $3.08 billion.  I’m not sure why the taxpayers have to foot the bill for carriers’ decisions to purchase cheapo Chinese network gear.  I can see providing financial tax incentives or even subsidies on some level, but there also must be some guidelines so that the telecom companies are taking into account a more global outlook on the network gear manufacturers from whom they choose to purchase.   

    The taxpayer shouldn’t have to foot that bill, and telecom providers should not be willing to sacrifice security in the pursuit of revenue or increasing their bottom line.   

    Unless our government forces telecom providers to pay attention and consider more than their bottom line, we will see more of this from nefarious state-sponsored actors.  In the meantime, take measures to protect yourself, your family, and your business.  Start with a secure password vault. 

    UPDATE 1.7.2025 - Verizon, AT&T, and T-Mobile detect no activity of foreign nation states on their networks.  Not detecting activity does not equate to them having no access.  Our warning and strong recommendation stands.