Exam CS0-002 topic 1 question 3 discussion

D. SMS is a cleartext protocol and does not support encryption. The primary justification for prohibiting the use of SMS tokens in a Multi-Factor Authentication (MFA) policy is the lack of security associated with SMS. SMS is considered less secure for several reasons, and one significant concern is that it is transmitted in cleartext, meaning the information is not encrypted during transmission. This makes it more vulnerable to interception and eavesdropping. Option A (SMS relies on untrusted, third-party carrier networks) is also a valid concern and relates to the potential for interception or SIM swapping attacks. However, the lack of encryption (Option D) directly speaks to the inherent security weakness in using SMS for authentication.

The point is the is cleartext protocol so everything can be seen

Key word "A security analyst is revising" which means If the company is already using Multi-Factor Authentication (MFA) but is considering revising the policy to prohibit the use of SMS tokens, the justification can be based on security concerns associated with SMS. In this case, the analyst should provide reasoning for discontinuing the use of SMS tokens despite their existing implementation. The most suitable justification would be: D. SMS is a cleartext protocol and does not support encryption.

I hate this question and I hate all the idiots on this thread. SMS tokens are the weakest MFA because of SIM swapping attacks. SIM swapping attacks happen from insider attacks or social engineering attacks at third party carriers. Third party carriers are untrusted a-holes that will carelessly port your number for an impersonator or take a bribe.

A. SMS relies on untrusted, third-party carrier networks is the most appropriate justification for prohibiting the use of SMS tokens as part of a company's MFA policy.

Agreed, this is D.

This one is tricky

A. SMS relies on untrusted, third-party carrier networks is the most appropriate justification for prohibiting the use of SMS tokens as part of a company's MFA policy. SMS tokens are a form of two-factor authentication (2FA) that relies on a text message being sent to the user's mobile phone. However, this method has been criticized for its security limitations, including the reliance on untrusted, third-party carrier networks to transmit the text message. These networks are vulnerable to interception and can be compromised by attackers, making SMS tokens less secure than other forms of 2FA, such as hardware tokens or mobile authentication apps. - ChatGPT

The correct answer is D.

Strings sounds better. https://www.javatpoint.com/linux-strings-command

D is right

SMS/MMS/Messaging Short Message Service (SMS) is a text messaging service component of most telephone, World Wide Web, and mobile telephony systems. Multimedia Messaging Service (MMS) handles messages that include graphics or videos. Both technologies present security challenges. Because messages are sent in clear text, both are susceptible to spoofing and spamming.

https://techcrunch.com/2018/12/25/cybersecurity-101-guide-encrypted-messaging-apps/

CompTIA proper doesn't seem to discuss "sms tokens", but from what I can gather, this question is asking about SMS OTP for SSO. Link discusses some of the concerns of that. Biggest issue, is that it's better to use an OTP App that uses encryption vs using plain text sms to deliver OTPs. https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/authentication-methods/