[TheRecord] FCC to work on rules to prevent SIM swapping attacks

The Federal Communications Commission announced today plans to introduce new rules for US mobile carriers to address the rising wave of SIM swapping and port-out fraud attacks.

The two attacks, while they have different names, are closely related. Both take place when mobile carriers fail to properly verify a customer’s identity when they request that their service be transferred to a new SIM card (SIM swapping attack) or to an account at another mobile operator (port-out fraud).

Once threat actors trick a carrier into transferring service to a new SIM card under their control, they typically use this temporary access to bypass two-factor authentication or reset passwords for online accounts.

Both attacks have been primarily used over the past three years to steal funds from a victims’ e-banking or cryptocurrency accounts.

The US Justice Department has charged tens of individuals over the past half-decade with thefts enabled by SIM swapping and port-out fraud [1234].

Some of the victims who have been robbed using the two techniques have also sued mobile carriers in an attempt to recover their monetary losses, with multiple lawsuits still underway.

In addition, SIM swapping and port-out fraud has also expanded from the US, and criminal groups in other countries have also begun incorporating the two techniques in their arsenals, with Europol arresting tens of suspects already.

But in recent years, as some US carriers have introduced additional verification measures during the SIM service transfer operation, SIM swapping groups have also changed tactics.

Some groups have been seen bribing carrier employees or using vulnerabilities in the carrier’s backend systems to carry out their attacks, skipping the need to have direct contact and “trick” the carrier’s support staff.

This has led to a situation where both attacks are still very much relevant and still abused by some criminal gangs.

In its press release today announcing its “formal rulemaking process,” the FCC cited “numerous complaints from consumers” as the reason for its intervention, making it clear that US mobile carriers have failed in securing their systems and protecting consumers.

The FCC has not announced a timeline for the new rules, nor has it indicated in what direction the rules would go. An FCC spokesperson did not return a request for comment.

The post FCC to work on rules to prevent SIM swapping attacks appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[BleepingComputer] Windows 11 will let you run Android apps directly on the desktop

With Microsoft’s announcement of Windows 11 today, they also revealed that users would soon be able to run Android apps directly on the desktop. […] Source: Read More (BleepingComputer)

Read More

Daily NCSC-FI news followup 2020-09-27

Google removes 17 Android apps doing WAP billing fraud from the Play Store www.zdnet.com/article/google-removes-17-android-apps-doing-wap-billing-fraud-from-the-play-store/ The 17 apps were infected with the Joker (Bread) malware, which Google described in January 2020 as one of the most persistent threats it dealt with since 2017. iOS 14: The Surprising Security Risk Of Sharing Your New iPhone Home Screen […]

Read More

Daily NCSC-FI news followup 2019-11-27

Its Way Too Easy to Get a .gov Domain Name krebsonsecurity.com/2019/11/its-way-too-easy-to-get-a-gov-domain-name/ Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. But […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.