FCC reminds mobile phone carriers they must do more to prevent SIM swaps
The Federal Communications Commission is warning mobile phone service providers to ensure they are shielding customers from cybercriminals who use fraudulent SIM swaps to take over unwitting victims’ mobile phone accounts.
The warning comes on the heels of a Cyber Safety Review Board (CSRB) finding announced in August. The board detailed the operations of the hacking group Lapsus$, which was known for using SIM swaps to extort victims worldwide.
The new advisory, issued Monday by the FCC’s Privacy and Data Protection Task Force, says SIM swap fraud is increasing. It includes a reminder of updated requirements for telecommunications service providers to better guard consumer data.
SIM swappers seek to dupe mobile carriers into transferring a victim’s phone number to a new device, which is then used for fraudulent activity. Scammers have figured out how to take advantage of lax multifactor authentication practices, according to the CSRB, which urged mobile operators to move away from using easily intercepted methods like text-message codes.
The updated FCC rules mandate that carriers do more to securely verify customers identities prior to linking phone numbers to new devices or carriers.
“Cell phone service providers are high-value targets for cybercriminals and scammers because in many instances they serve as the primary means consumers use today to access their most important and valuable financial and personal information,” Loyaan Egal, FCC Enforcement Bureau Chief and chair of the Privacy and Data Protection Task Force, said in a press release.
The agency said carriers must quickly alert customers of account changes including whenever a password, customer response to “a carrier-designed back-up means of authentication,” or other records are altered.
While not a SIM swap, an incident last week in which Verizon gave a woman’s stalker access to her data — including her address and phone records — underscored the dangers of carriers failing to protect customers. The incident, which was first reported by 404 Media in conjunction with Court Watch, revealed that the stalker used a blatantly fake search warrant to obtain the records from the carrier.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.