CISA Finds Hackers Exploited SMS Authentication Weakness

The review board’s report recommends phishing-resistant multifactor authentication.

The Cyber Safety Review Board released a report, requested by Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, on the cyber attacks that impacted several technology companies in 2021 and 2022. The report said the hacking group Lapsus$ exploited the inherent weaknesses of multifactor authentication codes and the need to implement phishing-resistant multifactor authentication. 

The board found that the hacking group was able to circumvent short message services (SMS) authentication by using easy-to-purchase SIM cards to quickly intercept text login codes.

“Adopting more advanced [multifactor authentication] capabilities remains a challenge for many organizations and individual consumers due to workflow and usability issues,” the report states.

“Organizations that used application or token-based MFA methods or employed robust network intrusion detection systems, including rapid detection of suspicious account activity, were especially resilient,” the report continued. “Organizations that maintained and followed their established incident response procedures significantly mitigated impacts.”

The report recommended that the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) increase oversight and enforcement regarding SIM swapping.

As the Lord Leads, Pray with Us…

  • For discernment for Director Easterly as she oversees CISA.
  • For Chair Lina Khan and members of the FTC as they consider the Cyber Safety Review Board’s recommendations.
  • For Chair Jessica Roseworcel and officials of the FCC as they evaluate measures regarding SIM authentication.

Sources: Federal News Network, The Record


Back to top