The recent supply chain breach at Kroll, a risk and financial advisory firm, had significant implications for downstream customers and exposed personal information on hundreds of claimants involved in bankruptcy proceedings related to crypto trading firms FTX, BlockFI, and Genesis. This incident serves as a stark reminder of the ongoing danger organizations face from SIM-swapping attacks and underscores the urgent need to move away from SMS-based two-factor authentication.
The breach at Kroll occurred when an adversary successfully transferred an employee’s phone number to a device controlled by the attacker. This allowed the attacker to gain unauthorized access to sensitive information. SIM swapping, also known as SIM hijacking, is a form of account takeover attack in which the attacker tricks the mobile carrier into transferring the victim’s phone number to a SIM card controlled by the attacker.
SIM-swapping attacks can take various forms. Some threat groups, such as the China-based “Scattered Spider,” have executed SIM-swapping attacks on a large scale by infiltrating mobile carrier systems and porting numbers themselves. In Kroll’s case, the attacker convinced T-Mobile to transfer a Kroll employee’s phone number to their own device. This granted them access to files containing bankruptcy details, as Kroll was responsible for managing the filing and retention of proofs of claim for the three crypto firms.
Kroll disclosed the breach last week, revealing that T-Mobile had transferred the employee’s phone number to the threat actor’s device without any authority from or contact with Kroll or its employee. T-Mobile has not yet responded to requests for comment.
FTX, one of the affected crypto trading firms, notified its customers of the breach, stating that their names, addresses, email addresses, and account balances had been exposed. Genesis also confirmed a similar impact from the breach and warned victims to be vigilant against phishing attempts aimed at taking control of their cryptocurrency accounts, wallets, and other digital assets.
SIM-swapping attacks often aim to gain control of a victim’s incoming text messages to intercept two-factor authentication codes sent via SMS. These codes are then used to access the victim’s bank and other accounts. Threat groups have also utilized SIM-swapped devices for phishing campaigns.
The use of SMS-based multifactor authentication poses significant risks. According to Zach Capers, a senior security analyst at Capterra, SIM-swapping attacks effectively bypass SMS-based authentication and can lead to account takeovers, data breaches, and cyberattacks. Capterra’s research indicates that 42% of businesses rely on SMS for multifactor authentication, highlighting the widespread vulnerability to SIM-swapping attacks.
Mitigating SIM-swapping risks requires both businesses and individuals to take action. Capers suggests that SIM swapping often begins with social engineering, such as phishing emails and background research on the victim obtained from social media or company staff pages. Implementing alternatives to SMS-based authentication, such as biometrics and physical authentication keys, can enhance security. Individuals can reduce the risk by refraining from posting personal data on social media and online forums. Georgia Weidman, a security architect at Zimperium, adds that businesses should educate employees about the dangers of SIM swapping and recommend adding a port freeze to their mobile accounts.
As organizations increasingly recognize the vulnerabilities associated with SMS-based two-factor authentication, it becomes imperative to adopt alternative and more secure authentication methods. By addressing these risks head-on, businesses and individuals can better protect sensitive data and mitigate the potential consequences of SIM-swapping attacks.