By Luke Lukashunas – Internationally Recognized Law Enforcement & Corporate Security Leader
In today’s digital age, our phone numbers are more than just a way to communicate—they are the key to accessing sensitive accounts, financial information, and personal data. Unfortunately, this has made mobile phones a prime target for criminals who exploit vulnerabilities through SIM swapping and port-out fraud.
These forms of fraud are not only invasive but also devastating, leaving victims locked out of their accounts and exposed to identity theft. Despite new regulations introduced by the Federal Communications Commission (FCC), many consumers remain unaware of the risks and protections available to them.
What Are SIM Swapping and Port-Out Fraud?
- SIM Swapping occurs when fraudsters convince your wireless carrier to switch your phone number to a new SIM card in their possession. This gives them control over your calls, texts, and accounts tied to your phone number.
- Port-Out Fraud takes this a step further, where the attacker transfers your number to a completely different carrier, gaining control of your phone line.
Once the attacker gains access, they can intercept SMS-based verification codes, bypass account security measures, and take over your sensitive accounts.
How These Tactics Undermine SMS-Based Multi-Factor Authentication (MFA)
SMS-based MFA is a widely used security feature that sends a one-time passcode (OTP) via text message to verify your identity. However, SIM swapping and port-out fraud render this method ineffective:
-
- Takeover of Phone Number: Fraudsters gain control of your phone number, receiving all OTPs sent via text.
- Bypass of Account Security: With access to OTPs, they log in to your accounts, reset passwords, and bypass critical security measures.
- Escalation of Fraud: Once inside your accounts, they may steal funds, lock you out, or compromise your sensitive data.
While SMS-based MFA offers a basic layer of security, it is vulnerable compared to app-based MFA (e.g., Google Authenticator) or hardware security keys.
The FTC Mandate: A Step Forward
In response to the growing threat, the Federal Communications Commission (FCC) introduced a compliance mandate, effective July 8, 2024, requiring wireless carriers to implement stronger protections against SIM swapping and port-out fraud. According to the FCC release (read it here), these rules aim to improve account security by introducing robust authentication protocols.
Unfortunately, this critical mandate was not widely publicized, leaving many consumers unaware of these protections. This lack of awareness continues to place consumers at risk, despite the availability of enhanced safeguards. What is more appalling, however, is that SIM swap protection is not enabled by default for most carriers. Consumers must take the extra step of activating this feature on their accounts, leaving many unknowingly vulnerable. This oversight puts the burden of fraud prevention entirely on the consumer, despite the growing prevalence of these attacks.
How to Protect Yourself
1. Enable Fraud Prevention Features with Your Carrier
Wireless carriers have implemented tools to protect against SIM swapping and port-out fraud. Below are resources for the top six wireless carriers in the United States, based on subscriber count, according to Wikipedia:
- Verizon: My Verizon Website – Enable / Disable SIM Protection and Number Lock
- T-Mobile: Protect your T-Mobile account from fraud | T-Mobile Support
- AT&T: Lock SIM Card With PIN Code – AT&T Wireless Customer Support
- Boost Mobile: Fraud Prevention | Boost Mobile
- U.S. Cellular: eSIM FAQs | UScellular
- Xfinity Mobile (Comcast): How to turn on or off a Number Lock – Xfinity Support
For carriers not listed, contact your provider directly to inquire about their fraud prevention options.
2. Strengthen Your Security Practices
- Set up a secure PIN or passcode with your carrier.
- Use app-based MFA or hardware security keys instead of SMS-based MFA for critical accounts.
- Avoid sharing personal information online that could be used to impersonate you.
3. Be Vigilant
Watch for these warning signs:
- Sudden loss of phone service without explanation.
- Notifications about account changes that you didn’t authorize.
If you suspect SIM swapping or port-out fraud, contact your carrier immediately and secure your accounts.
Why Awareness Matters
SIM swapping and port-out fraud are sophisticated attacks that exploit one of the most commonly used security methods—SMS-based MFA. While the FCC’s new compliance rules are a step in the right direction, the lack of widespread public awareness leaves many consumers vulnerable.
As an internationally recognized law enforcement and corporate security leader, I urge everyone to take proactive steps to secure their mobile accounts and protect themselves from these growing threats.
For more information, visit the FCC’s release on this mandate: FCC Mandate on Cell Phone Consumer Protection.
Your vigilance is the first line of defense against these attacks. Don’t wait until it’s too late to protect yourself.
