The U.S. Federal Communications Commission (FCC) is adopting new rules that aim to protect consumers from cell phone account scams that make it possible for malicious actors to orchestrate SIM-swapping attacks and port-out fraud.
“The rules will help protect consumers from scammers who target data and personal information by covertly swapping SIM cards to a new device or porting phone numbers to a new carrier without ever gaining physical control of a consumer’s phone,” FCC said this week.
While SIM swapping refers to transferring a user’s account to a SIM card controlled by the scammer by convincing the victim’s wireless carrier, port-out fraud occurs when the bad actor, posing as the victim, transfers their phone number from one service provider to another without their knowledge.
The new rules, first proposed in July 2023, mandate wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider.
Another requirement ensures that customers are immediately notified whenever a SIM change or port-out request is made on their accounts so that they can take appropriate action to secure against such attacks.
SIM swapping has emerged as a serious threat, enabling threat actors like LAPSUS$ and Scattered Spider to infiltrate corporate networks. Migrating the service to an actor-controlled device gives the attackers the ability to divert SMS-based two-factor authentication codes and take over victims’ online accounts.
“Because we so frequently use our phone numbers for two-factor authentication, a bad actor who takes control of a phone can also take control of financial accounts, social media accounts, the list goes on,” FCC Commissioner Geoffrey Starks said.
“Consumers must be able to count on secure verification procedures and reliable privacy guarantees from their wireless providers. And they should be able to go about their day without fearing that someone, somewhere, might take control of their phone without a single warning sign.”
The development comes as the FCC said it’s also launching an inquiry to understand the impact of artificial intelligence (AI) on robocalls and robotexts.
“AI could improve analytics tools used to block unwanted calls and texts and restore trust in our networks,” the agency said. “But AI could also permit bad actors to more easily defraud consumers through calls and text messages, such as by using technology to mimic voices of public officials or other trusted sources.”