A recent Department of Homeland Security (DHS) review has shed light on the vulnerabilities exposed by a series of high-profile cyberattacks conducted by teenage hackers in 2021 and 2022. These attacks have underscored systemic weaknesses in the telecommunications industry and security practices adopted by various businesses. The DHS’s Cyber Safety Review Board issued a 59-page report that urges the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) to bolster their oversight and enforcement efforts regarding SIM swapping attacks.
It also calls for a shift away from widely-used SMS and voice-based multifactor authentication methods toward more secure passwordless solutions. The review primarily focuses on the actions of a young hacker group known as Lapsus$, which targeted major technology companies such as Uber, Okta, and Samsung.
Notable for their audacious tactics, the hackers infiltrated company systems, gaining access to sensitive data and even posting content within internal chat messages. The DHS report praises the speed, creativity, and boldness exhibited by Lapsus$ in executing their attacks. In 2022, the group gained further attention when authorities revealed its largely teenage composition, leading to arrests in the UK and Brazil.
The review highlights the susceptibility of SMS-based multifactor authentication, widely used by organizations, to manipulation by cybercriminals due to lax security practices within the telecommunications sector. Lapsus$ effectively executed fraudulent SIM swaps and intercepted text messages, underscoring the need for enhanced security measures.
To combat this, the Cyber Safety Review Board recommends the federal government develop a comprehensive roadmap comprising standards, frameworks, guidance, and technology to facilitate the adoption of passwordless authentication.
Established by President Joe Biden in May 2021, the Cyber Safety Review Board is staffed by senior government officials and technology executives. While lacking regulatory authority, its influence is significant, as it guides federal agencies, Congress, and private companies in cybersecurity matters.
The findings of the DHS review emphasize the pressing need for stronger cybersecurity measures, adaptive detection, and prevention capabilities in a rapidly evolving threat landscape.