When Security Falls Apart: A Tale of SMS-Based MFA Gone Wrong

Meet Pete, a hardworking professional at Quantum Naval Solutions. Like many of us, he uses a memorable password, “Sunshine123,” across several accounts. His IT department at work recently started requiring special characters in passwords. So, he changed his work password to "Sunshine123!"

One day, Pete attempted to log into his work account, but his MFA code never arrived. Moments later, he noticed that his cell phone had stopped working. Unbeknownst to Pete, a cybercriminal had orchestrated a SIM-swapping attack, gaining control of his cell phone number.

The attackers found Pete's name and "Sunshine123" as his password to a social media account on the Dark Web. With the MFA code redirected to the attacker’s phone, they tried a few password variations of the compromised password and quickly discovered that they could get into the company's systems by just adding an exclamation mark to the end of it. Now, the attackers had access to Quantum Naval Solutions’ critical systems.

Controlled Unclassified Information (CUI) was compromised. And his email account was even used to send phishing emails to the company’s prime contractors and even the DoD Program Office. What a nightmare!

Pete is not a real person. But his experience happens in reality every day. CISA and the FBI have recently confirmed a wave of cyber-espionage campaigns targeting telecommunications infrastructure. Adversaries, including Chinese state-sponsored groups, have exploited vulnerabilities in SMS-based MFA, gaining access to call records and private communications—even without hijacking cell phone SIM cards.

While CMMC Level 2 Practice IA.L2-3.5.3 mandates the use of MFA for privileged and non-privileged access to computers connected to networks, not all MFA methods are equally secure. According to CISA’s guidance, SMS-based MFA is particularly vulnerable to phishing, SIM-swapping, and SS7 protocol exploits. In fact, CISA’s Phishing-Resistant MFA Fact Sheet identifies FIDO/WebAuthn and PKI-based MFA as the gold standards for securing sensitive systems. Unfortunately, the US Government's rulemaking process is so slow that it will take a year—and probably much more—to address issues like this through the CMMC program.

Organizations need to move beyond SMS-based MFA to adopt phishing-resistant solutions. Methods like app-based authenticators with number matching, hardware tokens, or PKI-based smart cards significantly reduce the risk of credential compromise. As the cybersecurity landscape evolves, so must our defenses.

The stakes are too high, especially for businesses in the defense industrial base aiming for CMMC compliance. It’s not just about meeting a requirement—it’s about safeguarding national security and your organization’s reputation.

What are your thoughts on the future of MFA? Are phishing-resistant methods practical for organizations of all sizes? Share your perspective in the comments!

#Cybersecurity #MFA #CMMC #PhishingResistantMFA #ZeroTrust