/cdn.vox-cdn.com/uploads/chorus_asset/file/23650518/akrales_220209_4977_0290.jpg "US Government Takes Action to Rectify Security Vulnerabilities Exploited by Lapsus$ Hackers in GTA 6 Leak")
The US Cybersecurity and Infrastructure Security Agency (CISA) is advocating for stronger protections against SIM swapping and the shift towards a passwordless future in response to last year’s Lapsus$ attacks. In a lengthy report released on Thursday, the agency outlines the key techniques used by the teenage hacking group and provides recommendations to prevent similar attacks in the future.
CISA is also urging the Federal Trade Commission and Federal Communications Commission to take further action in safeguarding consumers against SIM swapping attacks. The FCC recently proposed new rules that would require wireless providers to adopt secure authentication methods during SIM swaps.
“Lapsus$ was unique for its effectiveness, speed, creativity, and boldness; it operated in a way that gifted the Board a propitious lens through which we could see systemic issues in the digital ecosystem,” states CISA. “Lapsus$ exploited, to great and wide effect, a playbook of effective techniques, which other threat actors can also use.”
Despite the magnitude of the Lapsus$ attacks, CISA emphasizes that the group highlighted “how easy it was for its members (often juveniles) to infiltrate well-protected organizations.” SIM swapping, or gaining control of a target’s phone number through social engineering and other tactics, is one of the methods employed by Lapsus$. This enables the attacker to intercept calls or messages containing two-factor authentication codes for the victim’s sensitive accounts.
As a result, CISA now recommends that companies transition away from voice and SMS-based multifactor authentication in favor of passwordless solutions. It suggests using FIDO2-compliant passkeys, which allow users to sign in using their fingerprint or a hardware-based security key. Many companies and password managers, such as Google, 1Password, Microsoft, and Dashlane, have already begun supporting passwordless sign-in methods.
“Lapsus$ exploited, to great and wide effect, a playbook of effective techniques”
Additionally, CISA specifically calls on carriers to “implement more stringent authentication methods for SIM swapping.” This includes allowing customers to lock their accounts to prevent SIM swaps and requiring “strong identity verification” for SIM swaps, as well as providing account holders with a “detailed record” of any SIM swap activities.
Considering that the majority of the known Lapsus$ hackers are teenagers, CISA also suggests that Congress provide funding for “juvenile cybercrime prevention programs” and support initiatives aimed at redirecting young individuals away from cybercrime.