Tag Archive for: portout

FCC Proposal Targets SIM Swapping, Port-Out Fraud – Krebs on Security

/in


The U.S. Federal Communications Commission (FCC) is asking for feedback on new proposed rules to crack down on SIM swapping and number port-out fraud, increasingly prevalent scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identity.

In a long-overdue notice issued Sept. 30, the FCC said it plans to move quickly on requiring the mobile companies to adopt more secure methods of authenticating customers before redirecting their phone number to a new device or carrier.

“We have received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud,” the FCC wrote. “Because of the serious harms associated with SIM swap fraud, we believe that a speedy implementation is appropriate.”

The FCC said the proposal was in response to a flood of complaints to the agency and the U.S. Federal Trade Commission (FTC) about fraudulent SIM swapping and number port-out fraud. SIM swapping happens when the fraudsters trick or bribe an employee at a mobile phone store into transferring control of a target’s phone number to a device they control.

From there, the attackers can reset the password for almost any online account tied to that mobile number, because most online services still allow people to reset their passwords simply by clicking a link sent via SMS to the phone number on file.

Scammers commit number port-out fraud by posing as the target and requesting that their number be transferred to a different mobile provider (and to a device the attackers control).

The FCC said the carriers have traditionally sought to address both forms of phone number fraud by requiring static data about the customer that is no longer secret and has been exposed in a variety of places already — such as date of birth and Social Security number. By way of example, the commission pointed to the recent breach at T-Mobile that exposed this data on 40 million current, past and prospective customers.

What’s more, victims of SIM swapping and number port-out fraud are often the last to know about their victimization. The FCC…

Source…

AT&T is finally adding a security feature to cut down on port-out scams

/in


It looks like AT&T already has a response to the FCC’s new proposals announced today, because they are adding a one-time passcode security feature to cut down on port-out scams.

A new AT&T support article we spotted today states that the carrier will soon require customers who want to port out their number to generate a one-time passcode before switching carriers. The feature is called a “Number Transfer PIN”, and Verizon has been using it since March of last year. It’s a secure one-time-use code that can only be generated by the customer.

Customers that want to port out must first either dial *PORT from their current line or generate a code with the myAT&T app/their online account. The code is then provided to the carrier they are porting to, along with other general account information. Importantly, AT&T employees cannot generate this code on a customer’s behalf. This eliminates an “inside job” type of situation, at least for port-out scams.

Number Transfer PINs replace the existing pre-configured PIN setup that AT&T (and T-Mobile) currently uses. The pre-configured PIN is established when the account is opened, and is used for both account access and to port out. The new PINs are randomized and only generated when needed, making them much more secure.

The change is currently set to take place on October 18th, according to the support article. T-Mobile will then be the only major carrier not using the Number Transfer PIN method.

Source…