A month after issuing new rules to push back against SIM-swap and similar schemes, the Federal Communications Commission is warning mobile phone service providers of their obligations to protect consumers against the growing threat.
SIM swapping - and another scam called port-out fraud - are a growing threat, with the FBI saying last year that between 2018 and 2020, its Internet Crime Complaint Center logged 320 complaints that led to losses of at least $12 million.
In 2021, the number of SIM-swapping complaints rose to 1,611, with losses of more than $68 million.
SIM swapping involves a threat actor convincing a target's mobile phone carrier to activate a SIM card they have and transferring the victim's number to that device, giving them control over the phone number.
With that control, the hacker can access bank and other accounts using a username and password, and the two-factor authentication code sent to the phone number will pop up on their phone.
In a port-out fraud scam, the hacker poses as the victim and opens an account with a carrier that is different from the one the target uses.
The bad actor then gets the victim's number ported to the account with the new carrier, which they control.
The FCC proposed new rules designed to curb the threat in July and adopted them last month.
The changes to the agency's Customer Proprietary Network Information and Local Number Portability rules puts greater responsibility on carriers.
They have to adopt secure techniques for authenticating a customer before redirecting their phone number of a new device or provider.
At the same time, wireless providers must immediately notify customers when a SIM change or port-out request is made on their accounts.
There also are additional steps the carriers must make to protect customers against SIM swaps and port-out fraud.
The FCC's adoption of the new rules came after a report by the Department of Homeland Security's Cyber Safety Review Board in August about the Lapsus$, a loosely organized group of hackers - some of whom were teenagers - that cut a brief but high-profile swath across the cybercrime landscape in 2021 and 2022.
It was known for using SIM-swapping and other relatively simple techniques to breach corporate networks and extort large corporations, including T-Mobile, Microsoft, Okta, Cisco, Nvidia, Uber, and Samsung.
In an attack that came well after Lapsus$ left the scene, three cryptocurrency firms sustained data breaches after an employee at risk advisory firm Kroll fell victim to a SIM-swapping scam.
The firms, FTX, BlockFI, and Genesis, had hired Kroll to handle their bankruptcy cases.
The employee's T-Mobile account was seized August 10 in the scam, which gave hackers access to files from the three companies that were in Kroll's cloud-based systems.
The file contained sensitive information from the crypto firms, including names, addresses, email addresses, and balances in their FTX accounts.
The bad actors then used some of the information in phishing campaigns.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 13 Dec 2023 15:13:37 +0000