Two US insurance coverage firms are warning that hundreds of people’ private info could have been stolen after hackers compromised pc methods.
Washington Nationwide Insurance coverage and Bankers Life, each subsidiaries of the CNO Monetary Group, have been focused by SIM-swapping hackers in November 2023.
As we have described earlier than, SIM-swapping assaults contain fraudsters tricking buyer help employees at a cellphone operator into giving them management of another person’s telephone quantity. This permits the fraudster to obtain the sufferer’s telephone calls and SMS messages, together with two-factor authentication tokens.
In some circumstances, SIM-swappers hijack telephone numbers with the assistance of a rogue insider on the cellphone firm.
A breach notification letter despatched by Washington Nationwide Insurance coverage to twenty,360 affected people explains {that a} SIM-swapping assault on a “senior officer’s telephone quantity” allowed the hackers to bypass multi-factor authentication.
The corporate warned that private info together with names, social safety numbers, dates of delivery, and coverage numbers.
Bankers Life despatched an almost an identical breach notification letter to 45,842 people.
Briefly, the non-public info of some 66,000 individuals is now within the palms of cybercriminals, who could use it for fraud or additional assaults.
What I discover notably alarming is that SIM swap assaults aren’t new. Criminals use this technique to interrupt into methods with out authorisation, whether or not to plant ransomware, exfiltrate information, or pilfer cryptocurrency.
SMS-based two-factor authentication is much less safe than authentication apps with time-based one-time passwords (TOTP) or {hardware} keys. But firms nonetheless go away themselves open to SIM-swapping.
With SIM-swapping so prevalent and straightforward for criminals to drag off, organizations and people ought to keep away from linking accounts to their telephone quantity. They need to additionally add extra layers of safety to their cellphone accounts to make it more durable for a criminal to trick a cellphone operator into handing over a quantity.
Each insurance coverage firms ought to clearly speak to their cellphone supplier about stopping an identical accident from occurring once more.
