Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Sometimes the call threat really is coming from inside your house phone.
The US government is calling for organizations to abandon ubiquitous voice call and text authentication methods after activity by the high-profile Lapsus$ hacker group highlighted vulnerabilities in common login systems.
According to a Cyber Safety Review Board (CSRB) report published July 24, organizations must “urgently implement improved access controls and authentication methods and transition away from voice and SMS-based [multi-factor authentication]; those methods are particularly vulnerable.”
Instead, it recommended companies “adopt easy-to-use, secure-by-default, passwordless solutions, such as Fast IDentity Online (FIDO)2-compliant, phishing-resistant MFA methods.”
The vulnerabilities were on full display after Lapsus$, a group allegedly driven by teenage hackers, managed to infiltrate major companies like Microsoft, Samsung, Nvidia, and Okta starting in 2022.
The members targeted key employees with incessant authentication requests—including in the middle of the night—“with the goal of overwhelming them…until they said yes,” the report said. They sometimes even pretended to be help-desk employees who persuaded the targets to approve the MFA prompts.
The bad actors also employed fraudulent SIM swaps, which involve impersonating a mobile phone user to reroute messages and calls to a different device, to intercept MFA-related calls and messages, according to the CSRB.
The report notes that while multi-factor authentication has grown both in public use and sophistication over the last 10 years, “the types of MFA used broadly in the online ecosystem today are not sufficient for most organizations or consumers defending against the type of attacks” that Lapsus$ and other cybercriminals are using.
“The digital ecosystem needs to prioritize moving beyond use of text-based strings for authentication,” the report said. It recommended a shift toward using built-in tokens, technologies like passkeys, and secure API standards like WebAuthn.