In a proactive effort to protect consumers from emerging digital threats, the US Federal Communications Commission (FCC) has proposed new regulations to curb the rise of SIM swap and port-out scams.
These malicious activities are on the rise, with fraudsters exploiting vulnerabilities in mobile communications systems to gain unauthorized access to victims’ personal and financial information.
What is a “SIM Swap” attack?
SIM swapping occurs when scammers or a bad faith actor get their hands on your phone number or your phone’s SIM card, allowing them to access your accounts or “redirect” that now-stolen SIM card to a phone that is now in that scammer’s hands (port out scam).
Once your phone number has been redirected to that hacker’s phone, they can now take advantage of a weakness in your “two-factor authentication” (2FA) and verification by using your phone number to access your accounts – ranging from your social media accounts and bank accounts to your crypto accounts/wallets, any other online website or platform that requires you to enter a username and password.
Remarkable examples
Over the past few years, SIM swap attacks have seen a surge, most notably in 2018 when crypto investor Michael Terpin fell victim to a $23.8 million SIM swap attack perpetrated by an 18-year-old. year-old living in New York named Ellis Pinsky.
Terpin is also the co-founder of blockchain PR firm Transform Group, as well as crypto investor network BitAngels.
Through his legal counsel, Terpin filed a lawsuit against his phone company, AT&T, alleging that the telecom giant failed to conduct their due diligence and helped facilitate the SIM-swap scheme that resulted in him negligently paying nearly $2 million. to various crypto assets. , breach of contract and violation of the Communications Act.
However, a California judge ruled in favor of AT&T in April after six years of pending lawsuits, finding that there was no evidence to support Terpin’s claims.
British hacker Joseph O’Connor, known as ‘PlugwalkJoe’, was sentenced to five years in prison in the US after stealing $794,000 worth of cryptocurrency in a SIM swap attack in 2019. Arrested in Spain in 2021 and later extradited to the US, O’Connor pleaded guilty to multiple charges, including conspiracy to commit computer break-ins, wire fraud and money laundering.
Quite a few brands and individual accounts in the Crypto and NFT space have also fallen victim to these attacks over the past year.
Congress and the FCC
Congress and the FCC have long worked on the best way to minimize and prevent SIM swap attacks. On July 11, the FCC announced its commitment to protecting consumers from what it called “ugly new fraud.”
The proposed rules are designed to make it increasingly difficult for adversaries to carry out these scams, improving the safety of mobile users across the country.
The FCC distinguished between SIM-swap scams and also drew attention to “Port-out scams”, in which a victim’s phone number is transferred to another carrier without permission, potentially allowing the scammer to gain access to sensitive accounts again.
The rise of these scams is of concern, with numerous reports highlighting the significant financial and emotional toll they have taken on victims. The regulations proposed by the FCC are in response to this growing threat and indicate the agency’s recognition of the need for robust preventive measures.
While the details of the proposed rules were not detailed in the FCC announcement, they are expected to involve stricter verification processes for SIM swaps and port-outs. This includes mandatory multi-factor authentication, stricter security questions and improved communication between mobile providers and their customers about any changes to their accounts.
The FCC’s move is in line with a broader trend of regulators around the world taking steps to address the challenges of the digital age, including the SEC and CFTC in the US, and the EU regarding cryptocurrency regulation, just to name a few.
How to protect yourself
Warning signs of a SIM swap include the inability to call or text, reports of activity on another device, inability to access accounts, and unknown transactions on your financial statements. By noticing these signs early, you can help limit potential damage. Fortunately, there are steps you can take to further protect yourself:
- Preventing SIM swap fraud requires vigilant online behavior and robust account security. This includes avoiding clicking unfamiliar email links, using strong, unique passwords, and setting up additional passcodes or PINs with your carrier if possible.
- Consider using authentication apps like Google Authenticator that tie two-factor authentication to your device instead of your phone number. Work with your banks and mobile carrier for shared knowledge about SIM swap activity and setting up user alerts. Some organizations offer callback services to verify identity, adding an extra layer of security.
- Don’t rely solely on your phone number for security and identity verification. Make use of hardware security keys like YubiKey for additional protection against SIM swapping attacks, as they provide physical two-factor authentication that is tied to the device, not the phone number.
What’s next?
It remains to be seen how the mobile carrier industry will react to the rules proposed by the FCC. Collaboration between regulators and industry stakeholders will be essential to ensure that the measures are both effective and practical. The ultimate goal is to strike a balance between ease of use and security so that consumers can enjoy the benefits of mobile communications without the constant fear of potential scams.
The FCC’s announcement has been widely welcomed by consumer protection advocates, who have long advocated stricter regulations to combat SIM swapping and port-out scams. As the proposal moves through the regulatory process, it will be critical for all stakeholders to engage in constructive dialogue to ensure that the final rules are both robust and workable.