FCC to work on rules to prevent SIM swapping attacks
The Federal Communications Commission announced today plans to introduce new rules for US mobile carriers to address the rising wave of SIM swapping and port-out fraud attacks.
The two attacks, while they have different names, are closely related. Both take place when mobile carriers fail to properly verify a customer's identity when they request that their service be transferred to a new SIM card (SIM swapping attack) or to an account at another mobile operator (port-out fraud).
Once threat actors trick a carrier into transferring service to a new SIM card under their control, they typically use this temporary access to bypass two-factor authentication or reset passwords for online accounts.
Both attacks have been primarily used over the past three years to steal funds from a victims' e-banking or cryptocurrency accounts.
The US Justice Department has charged tens of individuals over the past half-decade with thefts enabled by SIM swapping and port-out fraud [1, 2, 3, 4].
Some of the victims who have been robbed using the two techniques have also sued mobile carriers in an attempt to recover their monetary losses, with multiple lawsuits still underway.
In addition, SIM swapping and port-out fraud has also expanded from the US, and criminal groups in other countries have also begun incorporating the two techniques in their arsenals, with Europol arresting tens of suspects already.
But in recent years, as some US carriers have introduced additional verification measures during the SIM service transfer operation, SIM swapping groups have also changed tactics.
Some groups have been seen bribing carrier employees or using vulnerabilities in the carrier's backend systems to carry out their attacks, skipping the need to have direct contact and "trick" the carrier's support staff.
This has led to a situation where both attacks are still very much relevant and still abused by some criminal gangs.
In its press release today announcing its "formal rulemaking process," the FCC cited "numerous complaints from consumers" as the reason for its intervention, making it clear that US mobile carriers have failed in securing their systems and protecting consumers.
"The FCC’s rulemaking process generally starts with a Notice of Proposed Rulemaking (like this one) that asks questions and makes proposals," an FCC spokesperson told The Record. "We then have a period during which we take public comments – generally made through our Electronic Comment Filing System. After that we review comments before taking any next steps."
"There is no set timeline," the agency added.
Article updated at 8pm ET with comment from FCC.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.