Thousands of people’s personal information may have been stolen after computers were compromised, according to a warning from two US insurance companies.
In November 2023, SIM-swapping hackers targeted the CNO Financial Group’s subsidiaries Washington National Insurance and Bankers Life.
As we’ve previously stated, SIM-swapping attacks involve con artists deceiving a cellphone operator’s customer service representative into giving them access to another phone number. This enables the con artist to obtain two-factor authentication tokens as well as the victim’s phone calls and SMS messages.
In some instances, a rogue insider at the cellphone company assists SIM-swapper in stealing phone numbers.
According to a breach notification letter that Washington National Insurance sent to 20, 360 affected people, the hackers were able to get around multi-factor authentication by SIM-swapping an” senior officer’s phone number.”
Personal information, such as names, social security numbers, birthdates, and policy number, was forewarned by the company.
45, 842 people received a letter from Bankers Life that was nearly identical in terms of breach notification.
In other words, cybercriminals now possess the personal information of about 66, 000 people and may use it to commit fraud or launch additional attacks.
The fact that SIM swap attacks are not new particularly worries me. This technique is used by criminals to access systems without authorization, whether to steal cryptocurrency, exfiltrate data, or plant ransomware.
Two-factor authentication using SMS is less secure than authentication apps using hardware keys or time-based one-time passwords ( TOTP). Companies continue to be open to SIM-swapping, though.
Organizations and people should refrain from linking accounts to their phone numbers because SIM-swapping is so common and simple for criminals to perpetrate. In order to make it more difficult for a thief to deceive the cellphone operator into giving them access, they should also add extra layers of security to their cellphone accounts.
It is obvious that both insurance companies should discuss ways to avoid a repeat of the same accident with their mobile service provider.