Beware of Scams that Hijack Cellphone Accounts: The Importance of Authentication for Businesses and Consumers
Monday, January 29, 2024
Importance of Authentication for Businesses
Print Mail Download i

Consumers use cell phone numbers to authenticate their identities across a variety of accounts, such as those held with wireless providers, financial institutions, healthcare providers, and retail websites. One common example is when a provider sends an SMS (text) message to your phone to verify your identity before completing a transaction.

Two fraudulent practices – Subscriber Identity Module (SIM) swap fraud and Port-out fraud – may enable threat actors to take control of these accounts without gaining physical control of a cellphone and threaten the financial and digital lives of consumers.

On December 8, 2023, the Federal Communications Commission (FCC) issued a Report and Order that will require wireless providers to refine their customer authentication procedures, customer notification policies, and record retention practices to protect customers from fraud schemes.

The Report and Order underscores the need for account providers of all types to securely authenticate their customers and understand the potential vulnerabilities of their verification processes.

Similarly, consumers should educate themselves about these fraud schemes and learn how to spot them. Going forward, changing a SIM card and porting a wireless number legitimately may be subject to more processes to protect against fraud.

Fraud Schemes Involving Wireless Accounts

The Report and Order identifies two particular fraudulent practices associated with wireless service accounts:

SIM Swap Fraud. A mobile phone has a SIM card, including a chip that identifies your phone number with that phone. SIM swapping happens when a threat actor convinces a victim’s wireless provider to transfer the victim’s service from the victim’s device to the threat actor’s device.

Port-Out Fraud. Port-out fraud involves the threat actor opening an account with a wireless provider on the victim’s behalf and arranging for the victim’s phone number to be ported out (transferred) to the new account.

Both schemes are based on the fact that a wireless provider can change the phone number associated with a SIM card or port a phone number to another wireless provider. This wireless number portability (when legitimate) is convenient for consumers and wireless providers but creates a potential vulnerability.

If a threat actor has control of a consumer’s wireless phone account, then an SMS (text) passcode sent to that account for authentication purposes will go to the threat actor.

Revised Rules to Protect Customers from SIM Swap and Port-Out Fraud

The FCC revised a number of its rules to reduce the incidence of SIM swap and Port-out fraud without making it difficult for customers to change cellphones or devices.

Among other requirements, wireless providers must:

  • Notify customers in advance regarding SIM change and port-out requests
  • Offer customers the option to lock their accounts to block processing of SIM changes and number ports
  • Give customers notice of account protection mechanisms
  • Investigate and remediate fraud promptly

Takeaways

Consumers and account providers should assess and strengthen the authentication methods they use and offer, to prevent and limit SIM swap/Port-out fraud and other fraudulent schemes:

  • Use and Require Unique, Strong Passwords. Threat actors require personal information to effectuate their fraud schemes. Passwords that cannot be brute-forced or compromised will help protect personal information.
  • Use and Require Multi-Factor Authentication. While SMS may be vulnerable to these attacks, this protection is a crucial tool to prevent hacking. Consider other authentication methods like passkeys.
  • Consider Newer Authentication Methods. Authenticator apps that use a “passwordless” sign-in are one way to move away from passwords and other traditional verification mechanisms.
  • Be Skeptical, and Train Those in Your Organization to be Skeptical. Learn to recognize phishing and social engineering attempts. Never click links or open attachments in emails or texts that appear to come from your employer, financial institution or any other provider. Always login to your accounts directly.
Copyright ©2024 Nelson Mullins Riley & Scarborough LLP

Current Legal Analysis

More from Nelson Mullins

Managing the Impacts of the Change Healthcare Cyberattack
by: Ann E. Murray , Elaine Yap
Old North State Report – April 25, 2024
by: George M. Teague , Andrew Heath
What the FTC’s Rule Banning Non-Competes Means for Healthcare
by: Denise M. Gunter , Carrie A. Hanger
Supreme Court Holds That Discriminatory Transfer Claims Under Title VII Do Not Require Proof of “Significant” Harm
by: Phillip J. Strach , Alyssa Riggins
Bringing Moths to the Flame: DOJ Promises Non-Prosecution to Execs for Tips to Combat Corporate Crime
by: Jillian D. Willis
Stark Integrity Podcast: wRVUs Physician Compensation, Volume or Value, and Telehealth Compliance and Use Issues Episodes [Podcast]
by: Bob Wade
The Price of Parroting: Tennessee Passes First Law to Protect Musicians from AI Voice Recreation
by: Jason I. Epstein , Daniel C. Lumm, CIPP/US
Navigating Florida Housing's 2024 Multifamily Rental Programs Income and Rent Limits Chart
by: Nicholas W. Heckman , Roman Petra
The 2023 Merger Guidelines and the Impact on Private Equity
by: Colleen Pleasant Kline , Denise M. Gunter
Navigating the EU AI Act from a US Perspective: A Timeline for Compliance
by: Jason I. Epstein , Daniel C. Lumm, CIPP/US

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins