The US Cybersecurity and Infrastructure Security Agency (CISA) is calling for stricter SIM swapping protections and the transition to a passwordless future following last year’s Lapsus$ attacks. In a lengthy report released on Thursday, the agency details the teen hacking group’s key techniques and provides recommendations to prevent similar attacks going forward.
Lapsus$ made headlines last year after it took credit for the cyberattacks affecting major tech companies like Nvidia, Samsung, Ubisoft, T-Mobile, Uber, and Microsoft. The group also managed to steal and leak 90 videos containing gameplay footage from Rockstar’s upcoming Grand Theft Auto VI game. Seven teenagers connected to the group were arrested in London last year.
CISA asks that the Federal Trade Commission and Federal Communications Commission do more to protect consumers against SIM swapping attacks. Last month, the FCC proposed a new set of rules that would require wireless providers to “adopt secure methods of authenticating a customer” when performing SIM swaps.
“Lapsus$ was unique for its effectiveness, speed, creativity, and boldness; it operated in a way that gifted the Board a propitious lens through which we could see systemic issues in the digital ecosystem,” CISA writes. “Lapsus$ exploited, to great and wide effect, a playbook of effective techniques, which other threat actors can also use.”
Despite the scale of the Lapsus$ attacks, CISA says the group makes it clear “just how easy it was for its members (juveniles, in some instances) to infiltrate well-defended organizations.” One of the methods used by Lapsus$ is SIM swapping, or the act of gaining control of a target’s phone number through social engineering and other methods. This allows the bad actor to receive calls or texts from that number, including messages containing two-factor authentication codes connected with a victim’s sensitive accounts.
Because of this, CISA now recommends that companies move away from voice and SMS-based multifactor authentication in favor of passwordless solutions. It suggests that organizations use passkeys compliant with the FIDO2 standard instead, which allows users to sign in to their accounts using their fingerprint or a hardware-based security key. Many companies and password managers are already starting to support passwordless sign-in methods, including Google, 1Password, Microsoft, and Dashlane.
“Lapsus$ exploited, to great and wide effect, a playbook of effective techniques”
Additionally, CISA specifically calls on carriers to “implement more stringent authentication methods for SIM swapping.” That includes giving customers the ability to lock their accounts to prevent SIM swaps and requiring “strong identity verification” for SIM swaps as well as giving account holders a “detailed record” of when a SIM swap occurs.
Given that the majority of known Lapsus$ hackers are teenagers, CISA also suggests having Congress fund “juvenile cybercrime prevention programs” as well as “fostering interruption and redirection programs” to prevent young people from getting involved in cybercrime in the future.