A month after issuing new rules to push back against SIM-swap and similar schemes, the Federal Communications Commission (FCC) is warning mobile phone service providers of their obligations to protect consumers against the growing threat.

The FCC’s Enforcement Bureau will not only be aggressive in protecting consumers’ data and privacy but also “will hold accountable carriers to ensure they are doing everything possible to combat these cell phone account access scams,” Loyaan A. Egal, the bureau’s chief and chair of the agency’s Privacy and Data Protection Task Force, said in a statement this week.

“Cell phone service providers are high-value targets for cybercriminals and scammers because in many instances they serve as the primary means consumers use today to access their most important and valuable financial and personal information,” Egal said. “Bad actors are keenly aware of this and seek to exploit vulnerabilities to access this information. Telecom providers’ responsibility to protect that data is vitally important.”

SIM Swaps and Port-Out Fraud

SIM swapping – and another scam called port-out fraud – are a growing threat, with the FBI saying last year that between 2018 and 2020, its Internet Crime Complaint Center logged 320 complaints that led to losses of at least $12 million. In 2021, the number of SIM-swapping complaints rose to 1,611, with losses of more than $68 million.

SIM swapping involves a threat actor convincing a target’s mobile phone carrier to activate a SIM card they have and transferring the victim’s number to that device, giving them control over the phone number. With that control, the hacker can access bank and other accounts using a username and password, and the two-factor authentication code sent to the phone number will pop up on their phone.

In a port-out fraud scam, the hacker poses as the victim and opens an account with a carrier that is different from the one the target uses. The bad actor then gets the victim’s number ported to the account with the new carrier, which they control.

The Onus is on Wireless Providers

The FCC proposed new rules designed to curb the threat in July and adopted them last month. The changes to the agency’s Customer Proprietary Network Information and Local Number Portability rules puts greater responsibility on carriers. They have to adopt secure techniques for authenticating a customer before redirecting their phone number of a new device or provider.

At the same time, wireless providers must immediately notify customers when a SIM change or port-out request is made on their accounts. There also are additional steps the carriers must make to protect customers against SIM swaps and port-out fraud.

“These new rules set baseline requirements that establish a uniform framework across the mobile wireless industry while giving wireless providers the flexibility to deliver the most advanced and appropriate fraud protection measures available,” the FCC wrote in November.

The FCC’s adoption of the new rules came after a report by the Department of Homeland Security’s Cyber Safety Review Board (CSRB) in August about the Lapsus$, a loosely organized group of hackers – some of whom were teenagers – that cut a brief but high-profile swath across the cybercrime landscape in 2021 and 2022.

Lapsus$ and Its Use of SIM Swaps

It was known for using SIM-swapping and other relatively simple techniques to breach corporate networks and extort large corporations, including T-Mobile, Microsoft, Okta, Cisco, Nvidia, Uber, and Samsung.

“In several instances, attackers gained initial access to targeted organizations through [SIM] swapping attacks, which allowed them to intercept one-time passcodes and push notifications sent via SMS, effectively defeating this widely used MFA control,” the CSRB wrote. “A lucrative SIM swap criminal market further enabled this pay-for access to a target’s mobile phone services.”

In an attack that came well after Lapsus$ left the scene, three cryptocurrency firms sustained data breaches after an employee at risk advisory firm Kroll fell victim to a SIM-swapping scam. The firms, FTX, BlockFI, and Genesis, had hired Kroll to handle their bankruptcy cases.

The employee’s T-Mobile account was seized August 10 in the scam, which gave hackers access to files from the three companies that were in Kroll’s cloud-based systems. The file contained sensitive information from the crypto firms, including names, addresses, email addresses, and balances in their FTX accounts.

The bad actors then used some of the information in phishing campaigns.