Everyone knows safeguarding social security numbers, bank account numbers, pins, credit cards and passwords is key to thwarting identity thieves and hackers. But what about the 10-digit numbers that people use every day to stay in touch? Telephone numbers are increasingly used to validate subscribers’ identities for account access, and fraudsters are developing more sophisticated attacks to take advantage.
According to the Federal Bureau of Investigation (FBI), the Federal Communications Commission (FCC), and the Federal Trade Commission (FTC), port-out and SIM swap fraud have been accelerating in recent years, allowing criminals to take control of consumer phone numbers to gain access to personal and financial information, sometimes inflicting millions in losses. The FCC has long considered rules to help carriers deter port-out and SIM swap fraud, and the topic has gained renewed importance this month as the FCC is expected to mull over the latest rule considerations at its mid-November meeting.
While these scams often target individuals, carriers and enterprises have an important role to play in keeping company-owned assets and networks safe through training, strengthening verification processes and security protocols. In this article, we’ll examine SIM swap and port-out fraud and how carriers and enterprises can bolster their defenses against these ever-evolving threats to avoid reputational damage and customer loss.
FBI: $72M lost to SIM swap fraud in 2022
SIM swap fraud, sometimes known as "SIM card swapping" or "SIM card replacement fraud," happens when a cybercriminal convinces a mobile carrier to issue a new SIM card, transferring the victim's phone number into an attacker's control. Porting fraud, also known as “port-out fraud” or “number hijacking” happens when a scammer cons a carrier into porting a victim’s phone number to a different mobile device or account that is under the hacker’s control.
As major carriers report, approximately 99% of all porting and SIM swap requests are legitimate asks from customers, making the task of regulating the bad actors difficult. Carriers risk frustrating customers who are seeking assistance to regulate what’s reportedly a small number of fraudulent requests. Still, the issue warrants investigation and further diligence from carriers.
In 2020, Princeton University researchers revealed in a study that several wireless carriers rely on vulnerable methods for verifying the identities of people seeking SIM changes. The researchers initiated 10 pre-paid accounts across five leading wireless providers and then proceeded to request SIM changes for each account. They discovered that all five carriers employed "insecure authentication challenges," which could be effortlessly manipulated by potential attackers.
It’s important to note that although SIM swap and port-out fraud make up a very small percentage of overall types of cyberattacks, the number of cases continues to grow each year, and damages resulting from the incidents can be large.
According to the FBI’s 2022 Internet Crime Report, these scams reached unprecedented numbers in 2022, with more than 2,000 people falling victim to SIM swap fraud, with losses totaling upwards of $72 million. Compared to 2021, instances of SIM swap fraud rose 25%, from a reported 1,600 cases.
Consumer complaints of port-out and SIM swapping fraud through the FCC and FTC continue to rise each year. In one high-profile case in early 2022, approximately 6,000 TracFone customers had their numbers ported to other carriers, causing some customers to lose their numbers for up to 12 days.
Mobile carriers and law enforcement agencies are continually adapting to these threats, but attackers have also become more sophisticated. The evolution of porting attacks can be attributed to the availability of personal data on the dark web, social engineering tactics and the inadequacies in current porting procedures.
Carriers and enterprises: staying safe from porting and SIM swap fraud
As a step toward combating fraud, many service providers have introduced the concept of a porting pin. This PIN must be provided before the service provider will allow a port to occur. This approach has significantly decreased porting fraud but has yet to eliminate the problem, and not all service providers have implemented the porting PIN, nor does it work in all cases.
To avoid putting their customers at risk of personal accounts getting compromised and financial loss, mobile carriers need to find new ways to add extra scrutiny to their authentication practices. The same goes for enterprises looking to safeguard company telephones that are vulnerable to attack from lax security protocols or insufficient training. Here are six ways carriers and enterprises can strengthen their defenses against port-out and SIM swap fraud.
- Strengthening Verification Processes: Mobile carriers and enterprises must enhance their verification processes to minimize the risk of porting and SIM swap fraud. Implementing robust customer identification procedures and requiring multiple forms of identity verification can act as deterrents to attackers.
- Monitoring for Suspicious Activity: Investing in sophisticated monitoring systems that can detect unusual activity is a crucial investment for carriers and enterprises and can thwart potential attackers when they’re not yet a blip on your security team’s radar. For example, if a SIM card change is requested from a location that does not match the user's usual pattern, the system should trigger an alert. Rapid response to such incidents is crucial to preventing successful attacks.
- Educating Customers and Employees: Awareness and education are paramount in the battle against all three attacks noted above. Carriers should educate their customers about the risks and best practices for safeguarding their phone numbers, particularly around phishing and how cybercriminals may obtain information needed to commit a port-out of SIM swap attack. Similarly, enterprises should provide training to their employees about how port-out fraud and SIM swap attacks occur and set up a reporting system.
- Enhancing Password and Account Security: Both carriers and enterprises can improve the security of their accounts by enforcing strong password policies and regularly auditing and enhancing their security measures. For example, implementing adaptive authentication mechanisms that analyze user behavior and device attributes can help identify suspicious login attempts.
- Reducing Reliance on SMS-Based MFA: To defend against hackers gaining access to sensitive information via MFA, organizations should consider moving away from SMS-based authentication and adopting more secure alternatives. Using biometrics is a potential solution that can significantly reduce the vulnerability of MFA even to hackers who have access to a victim’s SIM card or phone.
- Collaboration with Law Enforcement: Carriers and enterprises should work closely with law enforcement agencies to report and combat SIM swap fraud and port-out scams effectively. This collaboration can help bring perpetrators to justice and deter others from engaging in cybercrime.
In the battle for digital security, proactive measures are essential to safeguard personal and business data against the relentless advances of cybercriminals. The rising frequency of porting and SIM swap fraud is a clear indication of the pressing need for carriers and enterprises to bolster their defenses and adapt to this evolving landscape in several key ways.
By strengthening verification processes, implementing monitoring systems, educating customers and employees, enhancing security, reducing reliance on SMS-based MFA, and collaborating with law enforcement, carriers and enterprises can significantly mitigate the risks associated with the threats arising from the very devices that we rely on the most and make important headway in the face of rising cyberthreats.
