Jan. 29, 2024
Consumers use cell phone numbers to authenticate their identities across a variety of accounts, such as those held with wireless providers, financial institutions, healthcare providers, and retail websites. One common example is when a provider sends an SMS (text) message to your phone to verify your identity before completing a transaction.
Two fraudulent practices – Subscriber Identity Module (SIM) swap fraud and Port-out fraud – may enable threat actors to take control of these accounts without gaining physical control of a cellphone and threaten the financial and digital lives of consumers.
On December 8, 2023, the Federal Communications Commission (FCC) issued a Report and Order that will require wireless providers to refine their customer authentication procedures, customer notification policies, and record retention practices to protect customers from fraud schemes.
The Report and Order underscores the need for account providers of all types to securely authenticate their customers and understand the potential vulnerabilities of their verification processes.
Similarly, consumers should educate themselves about these fraud schemes and learn how to spot them. Going forward, changing a SIM card and porting a wireless number legitimately may be subject to more processes to protect against fraud.
The Report and Order identifies two particular fraudulent practices associated with wireless service accounts:
SIM Swap Fraud. A mobile phone has a SIM card, including a chip that identifies your phone number with that phone. SIM swapping happens when a threat actor convinces a victim’s wireless provider to transfer the victim’s service from the victim’s device to the threat actor’s device.
Port-Out Fraud. Port-out fraud involves the threat actor opening an account with a wireless provider on the victim’s behalf and arranging for the victim’s phone number to be ported out (transferred) to the new account.
Both schemes are based on the fact that a wireless provider can change the phone number associated with a SIM card or port a phone number to another wireless provider. This wireless number portability (when legitimate) is convenient for consumers and wireless providers but creates a potential vulnerability.
If a threat actor has control of a consumer’s wireless phone account, then an SMS (text) passcode sent to that account for authentication purposes will go to the threat actor.
The FCC revised a number of its rules to reduce the incidence of SIM swap and Port-out fraud without making it difficult for customers to change cellphones or devices.
Among other requirements, wireless providers must:
Consumers and account providers should assess and strengthen the authentication methods they use and offer, to prevent and limit SIM swap/Port-out fraud and other fraudulent schemes:
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.