Pierre T.
# **US Calls for Stricter SIM Swapping Protections and Passwordless Authentication**
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging for increased safeguards against SIM swapping attacks and the adoption of passwordless authentication to prevent future cyberthreats. Last year’s Lapsus$ attacks highlighted the need for enhanced security measures, prompting CISA to release a comprehensive report outlining the techniques employed by the teenage hacking group and offering recommendations to mitigate similar attacks.
CISA is urging the Federal Trade Commission and Federal Communications Commission to take stronger actions to protect consumers against SIM swapping attacks. In response, the FCC has recently proposed a set of rules requiring wireless providers to implement secure methods of authenticating customers during SIM swaps.
Describing Lapsus$ as unparalleled in its effectiveness and audacity, CISA emphasizes that the group’s activities have exposed systemic vulnerabilities in the digital ecosystem. The hacking group employed a series of highly effective techniques, which could potentially be leveraged by other threat actors as well.
Despite the magnitude of the Lapsus$ attacks, CISA highlights the ease with which the group, including juvenile members, infiltrated well-defended organizations. One of the primary methods employed by Lapsus$ is SIM swapping, which involves gaining control of a target’s phone number through social engineering and other means. This enables the attacker to receive calls or texts, including two-factor authentication codes, thereby accessing sensitive accounts.
To address this issue, CISA recommends that companies move away from voice and SMS-based multifactor authentication and adopt passwordless solutions instead. They suggest the use of passkeys compliant with the FIDO2 standard, allowing users to sign in using their fingerprint or a hardware-based security key. Several companies and password managers, such as Google, 1Password, Microsoft, and Dashlane, have already started supporting passwordless sign-in methods.
Additionally, CISA calls on carriers to implement more stringent authentication methods for SIM swapping. This includes enabling customers to lock their accounts and prevent SIM swaps, as well as requiring strong identity verification during the process and providing account holders with a detailed record of any SIM swap activities.
Considering that the majority of Lapsus$ hackers are teenagers, CISA proposes that Congress allocate funding for programs aimed at preventing juvenile cybercrime. They also suggest the development of interruption and redirection programs to steer young individuals away from engaging in cybercriminal activities in the future.
In conclusion, CISA strongly advocates for stricter security measures to combat SIM swapping attacks and emphasizes the importance of transitioning to passwordless authentication. By implementing these recommendations, both consumers and organizations can significantly enhance their protection against cyberthreats.
