Understanding SIM Swap Attacks and How to Safeguard Yourself
In a proactive move to safeguard consumers from emerging digital threats, the U.S. Federal Communications Commission (FCC) has proposed new regulations aimed at curbing the rise of “SIM swap” and “port-out scams.”
These malicious activities have been on the rise, with fraudsters exploiting vulnerabilities in mobile communication systems to gain unauthorized access to victims’ personal and financial information.
What is a “SIM Swap” attack?
SIM swapping occurs when scammers or a bad faith actor happens to get their hands on either your phone number or your phone’s SIM card, allowing them to access your accounts or “reroute” that now stolen SIM card to a phone that is now in that scammer’s hands (port-out scam).
Once your phone number has been rerouted to that hacker’s phone, this allows them to now take advantage of a weakness in your “two-factor authentication” (2FA) and verification by using your phone number to access your accounts – ranging from your social media accounts and banking accounts to your crypto accounts/wallets, any other online website or platform that requires you to enter a username and password.
Notable examples
Over the course of the past few years, SIM swap attacks have witnessed a monumental surge, most notably in 2018 when crypto investor Michael Terpin fell victim to a $23.8 million SIM swap attack that was perpetrated by an 18-year-old living in New York named Ellis Pinsky.
Terpin is also the co-founder of the blockchain public relations firm Transform Group, as well as the crypto investor network BitAngels.
Through his legal counsel, Terpin filed a lawsuit against his phone carrier, AT&T, alleging that the telecom giant had failed to conduct their due diligence and helped facilitate the SIM swap scheme that resulted in him losing close to $2 million in various crypto assets through negligence, breach of contract, and violation of the Communications Act.
However, a California judge just ruled in favor of AT&T after six years of pending litigation back in April, determining that there was no evidence to support Terpin’s claims.
British hacker Joseph O’Connor, known as “PlugwalkJoe,” was sentenced to five years in U.S. prison after stealing $794,000 in cryptocurrency through a SIM swap attack in 2019. Arrested in Spain in 2021 and later extradited to the U.S., O’Connor pleaded guilty to multiple charges, including conspiracy to commit computer intrusions, wire fraud, and money laundering.
Quite a few brands and individual accounts across the Crypto and NFT space have fallen victims to these attacks over the past year as well.
Congress and the FCC
Congress and the FCC have spent a long time working on how to best minimize and prevent SIM swap attacks. On July 11, the FCC announced its commitment in protecting consumers from what it termed as “ugly new frauds.”
The proposed rules are designed to make it increasingly challenging for malicious actors to execute these scams, thereby enhancing the security of mobile users across the country.
Differentiating SIM swap scams, the FCC also called attention to “Port-out scams,” which involve the unauthorized transfer of a victim’s phone number to a different carrier, again giving the scammer potential access to sensitive accounts.
The rise of these scams has been a cause for concern, with numerous reports highlighting the significant financial and emotional toll they have taken on victims. The FCC’s proposed regulations are a response to this growing threat, signaling the agency’s recognition of the need for robust preventive measures.
While the specifics of the proposed rules were not detailed in the FCC announcement, it is anticipated that they will involve stricter verification processes for SIM swaps and port-outs. This could include mandatory multi-factor authentication, tighter security questions, and enhanced communication between mobile carriers and their customers regarding any changes to their accounts.
The FCC’s move is in line with a broader trend of regulatory bodies worldwide taking steps to address the challenges posed by the digital age, including the SEC and CFTC in the U.S., and the EU with respect to cryptocurrency regulation, to name a few.
How To Safeguard Yourself
Warning signs of a SIM swap include inability to make calls or send texts, notifications of activity on a different device, inability to access accounts, and unfamiliar transactions on your financial statements. Spotting these signs early can help mitigate potential harm. Fortunately there are steps you can take to further protect yourself:
- Preventing SIM swap fraud requires vigilant online behavior and robust account security. This includes avoiding clicking on unknown email links, using strong, unique passwords, and setting up additional passcodes or PINs with your phone carrier, if possible.
- Consider using authentication apps like Google Authenticator that tie two-factor authentication to your device rather than your phone number. Cooperate with your banks and mobile carrier for shared knowledge on SIM swap activity and setting up user alerts. Some organizations offer call-back services to verify identity, adding an extra layer of security.
- Don’t rely solely on your phone number for security and identity authentication. Leverage hardware security keys such as YubiKey for additional protection against SIM swap attacks, as they provide physical, two-factor authentication tied to the device, not the phone number.
What’s next?
It remains to be seen how the mobile carrier industry will respond to the FCC’s proposed rules. Collaboration between regulatory bodies and industry stakeholders will be essential to ensure that the measures are both effective and practical. The ultimate goal is to strike a balance between user convenience and security, ensuring that consumers can enjoy the benefits of mobile communication without constantly fearing potential scams.
The FCC’s announcement has been met with widespread approval from consumer protection advocates, who have long called for stricter regulations to combat SIM swap and port-out scams. As the proposal moves through the regulatory process, it will be crucial for all stakeholders to engage in constructive dialogue, ensuring that the final rules are both robust and implementable.