According to CISA, telecommunications firms are not adequately protecting consumers from SIM swapping. The agency recommends that public and private organizations adopt passwordless authentication and zero trust architecture in order to reduce the number of future SIM swapping incidents.

Americans are losing as much as $68 million to SIM swapping attacks annually and the FBI has previously warned of a massive (and unsettling) uptick in the use of this particular cyber attack methodology.

What is SIM swapping?

If you need a quick refresher, SIM swapping, sometimes known as SIM hijacking, is a deceptive technique where a person’s mobile phone is unlawfully redirected to a device controlled by cyber criminals. This practice is commonly used by hackers to gain unauthorized access to sensitive information, including one-time security codes sent by banks, cryptocurrency platforms, and other groups.

SIM swapping typically occurs after cyber criminals acquire an individual’s personal data via methods like phishing or illicitly purchasing compromised details on the dark web. Oftentimes, victims experience a compromise of their email accounts before the actual SIM swap occurs, enabling cyber criminals to intercept communications with telecommunications and internet providers, culminating in SIM swapping.

CISA’s recommendations

Application developers have been asked to implement FIDO 2-compliant authentication within consumer phones by default. This will subsequently empower businesses to switch to passwordless authentication for all staff, according to the agency.

In addition to passwordless authentication and implementation of zero trust architecture, CISA urged groups to broadly advance strategies that are designed to prevent and mitigate cyber attacks. Stronger alignment between companies and third-party providers was also recommended.

The latest report on the topic was written by the Cyber Safety Review Board (CSRB), which includes members of the U.S. Department of Homeland Security, CISA, the Department of Defense, the Federal Bureau of Investigation, and private companies, like Google.

Telecommunication security

“The Board examined how a loosely organized group of hackers, some of them teenagers, were consistently able to break into the most well-defended companies in the world,” said Robert Silvers, CSRB chair and DHS under-secretary for policy.

The Board found deficiencies in how companies ensure the security of their vendors; how carriers guard customer information from SIM swapping, and how enterprises authenticate users on systems.

As described earlier, telecommunication providers are strongly advised to augment comprehensive security protections, as to prevent SIM swapping and related fallout.

LAPSUS$ attacks

In the past two years, hackers associated with the LAPSUS$ group executed a number of cyber attacks by exploiting weaknesses like over-reliance on SMS-based two-factor authentication.

LAPSUS$ attackers have shown proficiency in obtaining victims’ phone numbers and passwords by crawling through public information and conducting fraudulent phone calls (that were supported by spear phishing campaigns).

LAPSUS$, which is tracked by Microsoft as Strawberry Tempest, has been associated with a variety of high-profile cyber attacks; SIM swapping focused and otherwise. In 2022, LAPSUS$ was ranked among the most active and malicious of cyber groups.

Further thoughts

“The CSRB’s latest report reinforces the need for all organizations to take urgent steps to increase their cyber resilience, including the implementation of phishing-resistant multi-factor authentication,” said Jen Easterly, director at CISA.

For the latest from CyberTalk.org on passwordless authentication, click here. For further insights into zero trust, click here. Lastly, to receive more timely cyber security news, insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.