Today’s Observer column:
You know the drill. You’re logging into your bank or another service (Gmail, to name just one) that you use regularly. You enter your username and password and then the service says that it will send you an SMS message with a code in it which you can use to confirm that it is indeed you who’s logged in. It’s called “two factor authentication” (2FA) and it passes for best practice in our networked world, given that passwords and login details can easily be cracked.
Sadly, our world is wicked as well as networked, and that SMS message can be redirected to someone else’s phone – that of the criminal who has logged in using your phished personal details – and who is now busily emptying your current account.
This kind of skulduggery has been possible for years. I’ve just come across an account of it happening to bank customers in Germany in 2017, but security experts were warning about it long before that…
LATER Reuters quoting a WSJ report “that U.S. national security adviser Jake Sullivan told telecommunications and technology executives at a secret White House meeting in the fall of 2023 that Chinese hackers had gained the ability to shut down dozens of U.S. ports, power grids and other infrastructure targets at will.”