Read at Hot for Security
Washington National Insurance and Bankers Life, both subsidiaries of the CNO Financial Group, have reported that hackers compromised their computer systems and may have stolen personal information of thousands of individuals through SIM-swapping attacks. The attacks involved fraudsters tricking customer support staff at a cellphone operator into giving them control of someone else's phone number, allowing them to bypass multi-factor authentication and access sensitive information. The breach affected a total of 66,000 people, and the stolen information included names, social security numbers, dates of birth, and policy numbers.
A breach notification letter sent by Washington National Insurance to 20,360 affected individuals explains that a SIM-swapping attack on a "senior officer's phone number" allowed the hackers to bypass multi-factor authentication.
SIM-swapping attacks have long been used by cybercriminals to gain unauthorized access to systems and carry out various malicious activities, such as planting ransomware, stealing data, or pilfering cryptocurrency. SMS-based two-factor authentication is less secure than other methods, yet many organizations still rely on it, leaving themselves vulnerable to SIM-swapping attacks. It is advised that individuals and organizations avoid linking accounts to phone numbers and implement additional security measures to protect against such attacks.
What I find particularly alarming is that SIM swap attacks aren't new. Criminals use this method to break into systems without authorisation, whether to plant ransomware, exfiltrate data, or pilfer cryptocurrency.