SECURITY THEATRE —

The FCC says new rules will curb SIM swapping. I’m pessimistic

SIM swaps and port-out scams are a fact of life. New rules aren't likely to change that.

Illustration of a smartphone with the word

After years of inaction, the FCC this week said that it's finally going to protect consumers against a scam that takes control of their cell phone numbers by deceiving employees who work for mobile carriers. While commissioners congratulated themselves for the move, there’s little reason yet to believe it will stop a practice that has been all too common over the past decade.

The scams, known as "SIM swapping" and "port-out fraud," both have the same objective: to wrest control of a cell phone number away from its rightful owner by tricking the employees of the carrier that services it. SIM swapping occurs when crooks hold themselves out as someone else and request that the victim's number be transferred to a new SIM card—usually under the pretense that the victim has just obtained a new phone. In port-out scams, crooks do much the same thing, except they trick the carrier employee into transferring the target number to a new carrier.

This class of attack has existed for well over a decade, and it became more commonplace amid the irrational exuberance that drove up the price of Bitcoin and other crypto currencies. People storing large sums of digital coin have been frequent targets. Once crooks take control of a phone number, they trigger password resets that work by clicking on links sent in text messages. The crooks then drain cryptocurrency and traditional bank accounts.

The practice has become so common that an entire SIM-swap-as-a-service industry has cropped up. More recently, these scams have been used by threat actors to target and in some cases successfully breach enterprise networks belonging to some of the world’s biggest organizations.

The crooks pursuing these scams are surprisingly adept in the art of the confidence game. Lapsus$, a threat group composed mostly of teens, has repeatedly used SIM swaps and other forms of social engineering with a confounding level of success. From there, members use commandeered numbers to breach other targets. Just last month, Microsoft profiled a previously unknown group that regularly uses SIM swaps to ensnare companies that provide mobile telecommunications processing services.

A key to the success of the group, tracked by Microsoft as "Octo Tempest," is its painstaking research that allows the group to impersonate victims to a degree most people would never imagine. Attackers can mimic the distinct idiolect of the target. They have a strong command of the procedures used to verify that people are who they claim to be. There's no reason to think the rules won't be easy for groups such as these to get around with minimal additional effort.

Vague rules

This week, the FCC finally said it was going to put a stop to SIM swapping and port-out fraud. The new rules, the commission said, “require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. The new rules require wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts and take additional steps to protect customers from SIM swap and port-out fraud.”

But there’s no real guidance on what these secure authentication methods should be or what constitutes immediate notification. The FCC rules have instead been written to explicitly give “wireless providers the flexibility to deliver the most advanced and appropriate fraud protection measures available.” Adding to the challenge is a gaggle of carriers with low-paid and poorly trained employees and cultures steeped in apathy and carelessness.

None of this is to say that the FCC won’t ultimately create rules that will provide a meaningful check on a scam that has reached epidemic proportions. It does mean that the problem will be extremely hard to solve.

For the time being, SIM swaps and port-out scams are a fact of life, and there’s little reason for optimism that a handful of vaguely worded requirements will make a difference. For now, the best you can do is—when possible—ensure that accounts are protected by a PIN or verbal password and follow these additional precautions provided by the Federal Trade Commission.

Channel Ars Technica