The FCC finally took action this week after years of inaction. It will protect consumers against a scam which takes over their cell phone numbers through deceiving mobile carrier employees. While commissioners congratulated themselves for the move, there’s little reason yet to believe it will stop a practice that has been all too common over the past decade.
The scams are known as “SIM swapping” You can also find out more about the following: “port-out fraud,” The goal of both is to steal a phone number from its owner. This is done by tricking staff at the company that supplies the cell phone. SIM swapping occurs when crooks hold themselves out as someone else and request that the victim’s number be transferred to a new SIM card—usually under the pretense that the victim has just obtained a new phone. In port-out frauds, the crooks perform the same scam, but they trick the employee of the carrier into transferring the number to another carrier.
The attacks have been around for more than a decade. They became commoner during the time of irrational excitement that drove the price of Bitcoins and other crypto currencies up. Targets have included people who keep large amounts of digital coins. After stealing a phone number from the victim, the crooks reset passwords by clicking links in text messages. The thieves drain traditional and cryptocurrency bank accounts.
The practice has become so common that an entire SIM-swap-as-a-service industry has cropped up. More recently, these scams have been used by threat actors to target and in some cases successfully breach enterprise networks belonging to some of the world’s biggest organizations.
Scammers who use these tactics are surprising adept at the confidence game. Lapsus$ – a threat organization mainly composed of teens – has used SIM swaps as well as other forms of social engineer with an astounding level of success. The members then use the commandeered numbers to attack other targets. Microsoft revealed a group of previously unknown hackers who use SIM swaps regularly to capture companies that offer mobile telecommunications services.
Microsoft has tracked the success of a group’s key members. “Octo Tempest,” It is the painstaking work of research that allows this group to impersonate their victims in a way most people could never imagine. Attackers are able to mimic the distinctive idiolects of their targets. They are well versed in the methods used to verify that someone is who they say they are. No reason exists to believe that these groups will not be able navigate the rules easily and with minimal effort.
Vague rules
This week the FCC said that it will finally put a stop SIM swapping and fraud. The new rules, which “Commission said”, “require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. The new rules require wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts and take additional steps to protect customers from SIM swap and port-out fraud.”
But there’s no real guidance on what these secure authentication methods should be or what constitutes immediate notification. Instead, the FCC has written rules that explicitly state what constitutes immediate notification. “wireless providers the flexibility to deliver the most advanced and appropriate fraud protection measures available.” A number of carriers have employees who are poorly paid and untrained, and a culture that is steeped in carelessness and apathy.
None of this is to say that the FCC won’t ultimately create rules that will provide a meaningful check on a scam that’s reached epidemic proportions. The problem is going to be very difficult to solve.
For the time being, SIM swaps and port-out scams are a fact of life, and there’s little reason for optimism that a handful of vaguely worded requirements will make a difference. For now, the best you can do is—when possible—to ensure that accounts are protected by a PIN or verbal password and follow these Additional precautions Federal Trade Commission.