20.5k unique visitors in the last 3 days

‘Urgently’ Transition Away from SMS and Voice 2FA, Warns US Cyber Safety Review Board

A review of methods used by LAPSUS$ also stated a need for 'whole-of-society' programs to stop kids being tempted by cybercrime.

The US Department of Homeland Security has told organizations to replace SMS and voice calls with more secure methods for multi-factor authentication (MFA). SMS and voice are described as ‘particularly vulnerable’ and that the switch to token and app-based authentication should occur ‘urgently’.

Instead, organizations should adopt easy-to-use, secure-by-default, passwordless solutions such as Fast IDentity Online (FIDO)2-compliant, phishing-resistant MFA methods.

This recommendation comes at the top of a 52-page report from the Cyber Safety Review Board (CSRB) about the techniques used by the LAPSUS$ hacker gang and related parties. CSRB is a part of the Cybersecurity and Infrastructure Security Agency (CISA), which bills itself as ‘America’s cyber defense agency’. The essence of the CSRB conclusions about LAPSUS$ was that they succeeded in causing considerable harm using techniques that are simple but effective because they exploit the inherent weakness of widely-used security tools.

The report also says telcos should do more to prevent fraudulent SIM swaps.

The Board also calls attention to the risks introduced through use of mobile devices for authentication and urges telecommunications providers to mitigate risk through technological, process, and oversight measures. Carriers should implement more stringent authentication methods for SIM swapping to continue enabling legitimate business processes while introducing more friction to discourage malicious actors.

It was refreshing to see cybersecurity experts highlight the extent to which security should involve a broader strategy than merely throwing more and more technology at it. Commsrisk has often observed the extent to which boys are attracted to an online underworld that teaches them the tricks of a criminal trade via forums and comms channels that parents and teachers are not familiar with. Reducing crime also means engaging with boys before they start committing crimes.

…the Board recommends the advancement of “whole-of-society” programs and mechanisms to prevent juvenile cybercrime. Congress should explore funding juvenile cybercrime prevention programs, fostering interruption and redirection programs, and reducing criminal incentives by exploring ways to ensure continuity between federal and state law enforcement authorities.

This report is an excellent resource for anyone seeking to understand the key intersections between comms services and cybercrime. You will find it here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email