Two US insurance coverage corporations are warning that 1000’s of people’ private info might have been stolen after hackers compromised laptop programs.
Washington Nationwide Insurance coverage and Bankers Life, each subsidiaries of the CNO Monetary Group, have been focused by SIM-swapping hackers in November 2023.
As we have described earlier than, SIM-swapping assaults contain fraudsters tricking buyer help workers at a cellphone operator into giving them management of another person’s cellphone quantity. This permits the fraudster to obtain the sufferer’s cellphone calls and SMS messages, together with two-factor authentication tokens.
In some circumstances, SIM-swappers hijack cellphone numbers with the assistance of a rogue insider on the cellphone firm.
A breach notification letter despatched by Washington Nationwide Insurance coverage to twenty,360 affected people explains {that a} SIM-swapping assault on a “senior officer’s cellphone quantity” allowed the hackers to bypass multi-factor authentication.
The corporate warned that non-public info together with names, social safety numbers, dates of start, and coverage numbers.
Bankers Life despatched an almost equivalent breach notification letter to 45,842 people.
In brief, the private info of some 66,000 individuals is now within the palms of cybercriminals, who might use it for fraud or additional assaults.
What I discover notably alarming is that SIM swap assaults aren’t new. Criminals use this technique to interrupt into programs with out authorisation, whether or not to plant ransomware, exfiltrate knowledge, or pilfer cryptocurrency.
SMS-based two-factor authentication is much less safe than authentication apps with time-based one-time passwords (TOTP) or {hardware} keys. But corporations nonetheless depart themselves open to SIM-swapping.
With SIM-swapping so prevalent and simple for criminals to tug off, organizations and people ought to keep away from linking accounts to their cellphone quantity. They need to additionally add further layers of safety to their cellphone accounts to make it tougher for a criminal to trick a cellphone operator into handing over a quantity.
Each insurance coverage corporations ought to clearly discuss to their cellphone supplier about stopping an identical accident from occurring once more.
