A series of high-profile cyber attacks carried out by teenage hackers in 2021 and 2022 reveals systemic flaws in the telecommunications industry and security practices employed by a number of businesses, according to a Department of Homeland Security investigation.
The department's Cyber Safety Review Board, in a 59-page report released Thursday, urged the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) to strengthen their oversight and enforcement activities related to SIM swapping, and requested telecommunications providers to report such attacks to the regulators.
The board also advised organisations to abandon widely used SMS and voice-based multi factor authentication in favour of "adopting easy-to-use, secure-by-default-passwordless solutions."
The report, commissioned by CISA Director Jen Easterly, focuses on a group of young hackers known as Lapsus$, who carried out a series of attacks against big technological companies such as Uber, Okta, Samsung, and others.
The attacks garnered attention not only because of the victims, but also because of their boldness - hackers would frequently get access to a company's systems and critical data, then post screenshots and emojis in companywide internal chat conversations.
Once it was revealed that the group mainly consisted of teens in 2022, it became even more well-known. Seven people between the ages of 16 and 21 were detained by British police in March of that year, and in October, Brazilian police detained a further person.
The DHS review noted that the attacks highlighted how SMS-based multifactor authentication, a practise frequently employed by organisations to add an additional layer of protection when employees and customers log into accounts, may be thwarted by hackers due to inadequate security practises at telecom carriers.
Lapsus was able to get basic data about its victims, such as their name and phone number, and employed them to carry out fraudulent SIM swaps and intercept text messages that let them sign into accounts or carry out account recoveries.
The federal government was urged by the review board to create a roadmap of "standards, frameworks, guidance, tools, and technology" that can assist organisations in implementing passwordless authentication rather than SMS-based multifactor authentication as part of its recommendations.