After years of inaction, the FCC this week said it is finally moving to protect consumers against a scam that takes control of their cell phone numbers by impersonating carriers. While commissioners congratulated themselves for the move, there was little reason yet to believe it would stop the practice that was so common over a decade ago.
The scams, known as “SIM swapping” and “port fraud,” both have the same goal: to take control of a phone number away from its rightful owner by tricking the service provider’s employees. SIM switching occurs when criminals pose as someone else and demand that the victim’s number be transferred to a new SIM card—often under the pretense that the victim has just gotten a new phone. In port-out scams, scammers do much the same thing, except they trick the carrier into transferring the target number to a new provider.
This class of attack has been around for well over a decade, and is becoming commonplace amid the frenzy that is driving the price of Bitcoin and other cryptocurrencies. People who keep large sums of digital currency have been frequent targets. Once criminals gain control of a phone number, they trigger password resets that work by clicking on links sent in text messages. Crooks then siphon cryptocurrency and traditional bank accounts.
The practice has become so common that every SIM-swap-as-a-company has sprung up. More recently, these scams have been used by threat actors to target and in some cases successfully breach corporate networks belonging to some of the largest organizations in the world.
The criminals chasing these scams are surprisingly adept at the art of the confidence game. Lapsus$, a threat group made up mostly of young people, has repeatedly used SIM swaps and other social engineering schemes with a disturbing level of success. From there, members use command numbers to attack other targets. Last month, Microsoft profiled a previously unknown group that regularly uses SIM swaps to target companies that provide mobile communications services.
A key to the team’s success, which Microsoft is tracking as “Octo Tempest,” is its sophisticated research that allows the team to simulate victims to a degree that most people would not imagine. Attackers can mimic the specific behavior of the target. They have a strong command of the processes used to ensure that people are who they say they are. There’s no reason to think that rules won’t be easy for groups like these to get around with a little extra effort.
Unclear rules
This week, the FCC finally said it would stop SIM swapping and fraud. The new rules, the the committee said, “Require wireless providers to adopt secure methods of customer authentication before porting a customer’s phone number to a new device or provider. The new rules require wireless providers to immediately notify customers whenever there is a SIM switch or port-out request on customer accounts and take additional steps to protect customers from SIM switch and port-out fraud.”
But there is no real guidance on what these security verification methods should be or what is immediately notified. The FCC rules instead are written to give the public “wireless providers the flexibility to implement the most advanced and appropriate fraud protection methods available.” Adding to the challenge is a gaggle of carriers with low pay and untrained workers and cultures that are steeped in greed and indifference.
None of this is to say that the FCC won’t eventually create rules that will provide a meaningful check on scams that have reached epidemic proportions. It means that the problem will be very difficult to solve.
For now, SIM swaps and port scams are a fact of life, and there’s little reason to hope that a handful of priceless text questions will make a difference. For now, the best thing you can do is — when possible — to make sure that accounts are protected by a PIN or text password and follow these additional precautions provided by the Federal Trade Commission.