Today carriers are inundated with SIM swap fraud and are struggling to address consumer attacks in a timely manner. In 2012, carriers saw a significant increase in SIM swap fraud that utilized number porting. At that time fraud was focused on device take over for use of the phone capabilities. In 2017 there was another significant increase in fraud. This spike was due to fraudsters' focus on monetary gain and correlated with the surge in bitcoin value. Bitcoin is highly coveted by cybercriminals and is notoriously used for illicit activities and money laundering on the darknet. The fraud will continue as long as there is monetary gain.
What are Service Providers doing to protect your mobile identity?
Many Service Providers have introduced the concept of a porting pin to prevent porting fraud. This PIN must be provided before the Service Provider will allow a port to occur. This approach has significantly decreased porting fraud but has yet to eliminate the problem. Not all service providers have implemented the porting PIN and it does not work in all cases.
To avoid putting their customers at risk of personal accounts getting compromised and financial loss, mobile carriers need to be attentive in their authentication practices.
What action is the FCC taking to protect your mobile identity?
The FCC’s issued a notice of proposed rulemaking related to protecting consumers from SIM Swap and Port-Out Fraud requiring phone carriers to authenticate customer’s identity before transferring their number to a new phone. For example, having customers authenticate their identity by offering a pre-established password or getting a one-time password sent via text message, email or phone call. Carriers will also have to immediately notify customers if a SIM change request is made on their account.
If customers cannot authenticate their accounts, the provider will not be able to SIM swap phones via these methods. Phone carriers will also have to give customers a “port-freeze” option on their accounts that does not allow for any SIM Swapping.
To date, there is no industry-wide solution
The concept of “port locking” has been discussed in industry forums as early as 2003 and as recently as 2019. However, this is not a direction being considered today.
What can you do to protect yourself?
Consumers can log on to the FTC’s identitytheft.gov website to report theft and learn how to protect themselves. A few immediate actions you can take include:
- Pay attention to your bill - if you notice anything peculiar, contact your phone company
- Protect your account with a PIN - without this password, your account cannot be accessed.
- Be on the alert for Phishing Scams - never give financial or other information to unexpected callers. If you’re concerned about an account issue, call the company back and make sure you use a known phone number.
As victims are experiencing the costs, no consensus has yet been reached on an implementation approach for carriers much less consumers. If you are a victim, Identitytheft.gov provides resources including step-by-step instructions to guide victims through the recovery process.
Get insights into what happens when fraudsters steal your mobile identity by reading our Mobile Identity Nightmare - Attack blog.