Following the news that Iranian security researchers finding vulnerability in Telegram’s SMS authentication. Mark Loveless, Senior Security Researcher with Duo Labs commented below.
Mark Loveless, Senior Security Researcher at Duo Labs:
“Reports suggest that the Telegram accounts in Iran were compromised through what appears to be coordination between attackers and cellphone companies, and taking advantage of the fact that SMS is used to add new devices to existing Telegram accounts. While this implies cooperation by the cellphone companies, this cooperation is often not required. Attackers have been known to social engineer cellphone companies to get the same level of “coordination” or use other more technical means to compromise SMS, leaving all applications that use security measures involving SMS to be vulnerable. This is exactly why NIST recommends against using SMS as a part of 2FA (Two Factor Authentication), and why we always encourage our customers to use the cryptographically secure Duo Push for 2FA.
This is still not an excuse for using a weak or even no password at all on Telegram accounts. Reducing one of your two factors for authentication reveals any weaknesses in the other factor. Always use strong and unique passwords on all accounts – but especially in cases where it is being used to protect secure communications. This also includes email accounts that are used for password recovery.”
Vulnerability Found In Telegram SMS Authentication
Following the news that Iranian security researchers finding vulnerability in Telegram’s SMS authentication. Mark Loveless, Senior Security Researcher with Duo Labs commented below.
Mark Loveless, Senior Security Researcher at Duo Labs:
“Reports suggest that the Telegram accounts in Iran were compromised through what appears to be coordination between attackers and cellphone companies, and taking advantage of the fact that SMS is used to add new devices to existing Telegram accounts. While this implies cooperation by the cellphone companies, this cooperation is often not required. Attackers have been known to social engineer cellphone companies to get the same level of “coordination” or use other more technical means to compromise SMS, leaving all applications that use security measures involving SMS to be vulnerable. This is exactly why NIST recommends against using SMS as a part of 2FA (Two Factor Authentication), and why we always encourage our customers to use the cryptographically secure Duo Push for 2FA.
This is still not an excuse for using a weak or even no password at all on Telegram accounts. Reducing one of your two factors for authentication reveals any weaknesses in the other factor. Always use strong and unique passwords on all accounts – but especially in cases where it is being used to protect secure communications. This also includes email accounts that are used for password recovery.”
Recent Posts
What Expert Says On Marqeta Expanding Credit Platform With 40 New APIs
ZuoRAT Malware Targets SOHO Routers In North America, Europe – Expert Comment
Geographic Solutions Ransomware, Experts Weigh In
Almost Half Of UK Organisations Now Encrypt All Data, According To Annual Apricorn Survey
Your Comments On Macmillan Ransomware Attack