The Federal Communications Commission (FCC) is calling on carriers to implement better security protections against SIM-swap and port-out attacks.
These attacks are a common way for criminals to carry out identity theft, and take over anything from an Apple ID to a bank account …
A SIM-swap attack is when an attacker persuades a carrier to assign your phone number to a new SIM. A port-out attack is when an account with a new carrier is created in your name, and the attacker has the carrier move your cell number to the new account, which they control.
In both cases, the attacker will then receive two-factor authentication (2FA) codes for your accounts, which can be combined with phishing attacks to steal your identity. The worst aspect of this type of fraud is that it can be near-impossible for the victim to prove their identity, since the attacker will receive any SMS verification codes sent for password resets. (This is just one reason why SMS is a horrible form of 2FA.)
A study last year found that US carriers were failing to properly protect their customers against these attacks.
The method used was ridiculously simple: the caller claimed to have forgotten the answer to the primary security question, and then went on to claim that the reason they couldn’t answer questions about things like their date and place of birth is that they must have made a mistake when they set up the account.
Unbelievably, customer service representatives then allowed them to authenticate simply by naming the two most recent phone numbers called. As the study notes, it would be pretty simple to persuade someone to call an unknown number, simply by leaving voicemails or sending text messages. Three carriers even sometimes accepted incoming calls as authentication, meaning an attacker need do nothing more than call the victim’s phone from a burner phone.
FCC calls for better protections against SIM-swap attacks
The FCC says that it is clear that the problem needs to be addressed.
The FCC has received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud. In addition, recent data breaches have exposed customer information that could potentially make it easier to pull off these kinds of attacks.
The commission wants to force carriers to use more secure methods to verify the identity of customers making these requests.
The Federal Communications Commission today began a formal rulemaking process with the goal of confronting subscriber identity module (SIM) swapping scams and port-out fraud, both of which bad actors use to steal consumers’ cell phone accounts without ever gaining physical control of a consumer’s phone […]
It proposes to amend the Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require carriers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or carrier. It also proposes requiring providers to immediately notify customers whenever a SIM change or port request is made on customers’ accounts.
The next step is a public consultation process.
In the meantime, you can minimize your risk of falling victim to this type of attack by taking a few precautions:
- If your carrier allows you to set a PIN or password for your account, do this.
- For 2FA, always use an authenticator app, not SMS, whenever you are offered this option.
- Be suspicious of any calls, texts or emails asking for personal data.
- Follow our advice for protecting against phishing attacks,
which are often combined with SIM-swap ones.
Photo: Brett Jordan/Unsplash