The FCC Proposes Rules To Fight SIM Swap And Port-out Fraud
The Federal Communications Commission in the U.S. this week announced that it started to work on rules that would pull the brake on SIM swapping attacks.
The decision comes after the agency “received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud.”
Taking the first steps
The FCC said in a news release on Thursday that they “began a formal rulemaking process” designed to fight scams that allow fraudsters to take control of consumers’ cell phone accounts.
Along with port-out fraud, scammers use SIM swapping (also called SIM jacking) to hijack someone’s phone number and get access to two-factor authentication codes for financial services in particular.
In a Notice of Proposed Rulemaking, the agency aims to introduce rules for mobile carriers to adopt secure methods for authenticating subscribers before redirecting a customer’s phone number to a new device or carrier.
This means that addressing the issue will take some time, since a Notice of Proposed Rulemaking is only the first step towards achieving the expressed goal. Before the final rule, the public needs to be informed of the proposed rule and given the opportunity to submit comments, a period that ranges between 30 to 60 days.
SIM-swapping and port-out fraud are similar types of scams that involve social engineering skills from the threat actor.
Typically, a fraudster with personal details about their target calls the victim’s cell phone carrier asking to transfer the service to a different device or another carrier.
If successful, all communication is directed to the attacker, including two-factor authentication codes, necessary for identity verification when logging into an account or for password reset procedures.
SIM swapping behind huge losses
SIM swappers are usually financially motivated and go after online banking and cryptocurrency exchange accounts. There are also threat actors that use this method to steal social media accounts with special handles and then sell them – in 2019, the Twitter account of Jack Dorsey, Twitter CEO, was hijacked via SIM swapping.
FCC’s action comes after the agency “received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud.”
Last month, an AT&T customer filed a complaint against the company for failing to properly secure their account against a SIM-swapping attack. As a result, the customer lost about $650,000 in cryptocurrency tokens.
In February 2021, T-Mobile learned of a data breach after finding that multiple customers had become victims of SIM-swapping attacks.
A network of SIM swappers dismantled at the beginning of the year is believed to have stolen more than $100 million in cryptocurrency from thousands of victims, including celebrities in the U.S.
More recently, Europol announced that cybercriminals with links to the Italian Mafia engaged in SIM swapping attacks and other cybercriminal activity that brought them more than €10 million.