The FCC proposes rules to fight SIM swap and port-out fraud
The Federal Communications Commission in the U.S. this week
announced that it started to work on rules that would pull the brake on SIM
swapping attacks.
The decision comes after the agency "received numerous
complaints from consumers who have suffered significant distress,
inconvenience, and financial harm as a result of SIM swapping and port-out
fraud."
The FCC said in a news release on Thursday that they
"began a formal rulemaking process" designed to fight scams that
allow fraudsters to take control of consumers' cell phone accounts.
Along with port-out fraud, scammers use SIM swapping (also
called SIM jacking) to hijack someone’s phone number and get access to
two-factor authentication codes for financial services in particular.
In a Notice of Proposed Rulemaking, the agency aims to
introduce rules for mobile carriers to adopt secure methods for authenticating
subscribers before redirecting a customer's phone number to a new device or
carrier.
This means that addressing the issue will take some time,
since a Notice of Proposed Rulemaking is only the first step towards achieving
the expressed goal. Before the final rule, the public needs to be informed of
the proposed rule and given the opportunity to submit comments, a period that
ranges between 30 to 60 days.
SIM-swapping and port-out fraud are similar types of scams
that involve social engineering skills from the threat actor.
Typically, a fraudster with personal details about their
target calls the victim’s cell phone carrier asking to transfer the service to
a different device or another carrier.
If successful, all communication is directed to the
attacker, including two-factor authentication codes, necessary for identity
verification when logging into an account or for password reset procedures.
SIM swapping behind huge losses
SIM swappers are usually financially motivated and go after
online banking and cryptocurrency exchange accounts. There are also threat
actors that use this method to steal social media accounts with special handles
and then sell them - in 2019, the Twitter account of Jack Dorsey, Twitter CEO,
was hijacked via SIM swapping.
FCC’s action comes after the agency "received numerous
complaints from consumers who have suffered significant distress,
inconvenience, and financial harm as a result of SIM swapping and port-out
fraud."
Last month, an AT&T customer filed a complaint against
the company for failing to properly secure their account against a SIM-swapping
attack. As a result, the customer lost about $650,000 in cryptocurrency tokens.
In February 2021, T-Mobile learned of a data breach after
finding that multiple customers had become victims of SIM-swapping attacks.
A network of SIM swappers dismantled at the beginning of the
year is believed to have stolen more than $100 million in cryptocurrency from
thousands of victims, including celebrities in the U.S.
More recently, Europol announced that cybercriminals with
links to the Italian Mafia engaged in SIM swapping attacks and other
cybercriminal activity that brought them more than €10 million.
Comments
Post a Comment