Consumers use cell phone numbers to authenticate their identities across a variety of accounts, such as those held with wireless providers, financial institutions, healthcare providers, and retail websites. One common example is when a provider sends an SMS (text) message to your phone to verify your identity before completing a transaction.

Two fraudulent practices – Subscriber Identity Module (SIM) swap fraud and Port-out fraud – may enable threat actors to take control of these accounts without gaining physical control of a cellphone and threaten the financial and digital lives of consumers.

On December 8, 2023, the Federal Communications Commission (FCC) issued a Report and Order that will require wireless providers to refine their customer authentication procedures, customer notification policies, and record retention practices to protect customers from fraud schemes.

The Report and Order underscores the need for account providers of all types to securely authenticate their customers and understand the potential vulnerabilities of their verification processes.

Similarly, consumers should educate themselves about these fraud schemes and learn how to spot them. Going forward, changing a SIM card and porting a wireless number legitimately may be subject to more processes to protect against fraud.

Fraud Schemes Involving Wireless Accounts

The Report and Order identifies two particular fraudulent practices associated with wireless service accounts:

SIM Swap Fraud. A mobile phone has a SIM card, including a chip that identifies your phone number with that phone. SIM swapping happens when a threat actor convinces a victim’s wireless provider to transfer the victim’s service from the victim’s device to the threat actor’s device.

Port-Out Fraud. Port-out fraud involves the threat actor opening an account with a wireless provider on the victim’s behalf and arranging for the victim’s phone number to be ported out (transferred) to the new account.

Both schemes are based on the fact that a wireless provider can change the phone number associated with a SIM card or port a phone number to another wireless provider. This wireless number portability (when legitimate) is convenient for consumers and wireless providers but creates a potential vulnerability.

If a threat actor has control of a consumer’s wireless phone account, then an SMS (text) passcode sent to that account for authentication purposes will go to the threat actor.

Revised Rules to Protect Customers from SIM Swap and Port-Out Fraud

The FCC revised a number of its rules to reduce the incidence of SIM swap and Port-out fraud without making it difficult for customers to change cellphones or devices.

Among other requirements, wireless providers must:

• Notify customers in advance regarding SIM change and port-out requests
• Offer customers the option to lock their accounts to block processing of SIM changes and number ports
• Give customers notice of account protection mechanisms
• Investigate and remediate fraud promptly

Takeaways

Consumers and account providers should assess and strengthen the authentication methods they use and offer, to prevent and limit SIM swap/Port-out fraud and other fraudulent schemes:

• Use and Require Unique, Strong Passwords. Threat actors require personal information to effectuate their fraud schemes. Passwords that cannot be brute-forced or compromised will help protect personal information.
• Use and Require Multi-Factor Authentication. While SMS may be vulnerable to these attacks, this protection is a crucial tool to prevent hacking. Consider other authentication methods like passkeys.
• Consider Newer Authentication Methods. Authenticator apps that use a “passwordless” sign-in are one way to move away from passwords and other traditional verification mechanisms.
• Be Skeptical, and Train Those in Your Organization to be Skeptical. Learn to recognize phishing and social engineering attempts. Never click links or open attachments in emails or texts that appear to come from your employer, financial institution or any other provider. Always login to your accounts directly.