FCC reminds mobile phone carriers they must do more to prevent SIM swaps


The Federal Communications Commission is warning mobile phone service providers to ensure they are shielding customers from cybercriminals who use fraudulent SIM swaps to take over unwitting victims’ mobile phone accounts.

The warning comes on the heels of a Cyber Safety Review Board (CSRB) finding announced in August. The board detailed the operations of the hacking group Lapsus$, which was known for using SIM swaps to extort victims worldwide.

The new advisory, issued Monday by the FCC’s Privacy and Data Protection Task Force, says SIM swap fraud is increasing. It includes a reminder of updated requirements for telecommunications service providers to better guard consumer data.

SIM swappers seek to dupe mobile carriers into transferring a victim’s phone number to a new device, which is then used for fraudulent activity. Scammers have figured out how to take advantage of lax multifactor authentication practices, according to the CSRB, which urged mobile operators to move away from using easily intercepted methods like text-message codes.

The updated FCC rules mandate that carriers do more to securely verify customers identities prior to linking phone numbers to new devices or carriers.

“Cell phone service providers are high-value targets for cybercriminals and scammers because in many instances they serve as the primary means consumers use today to access their most important and valuable financial and personal information,” Loyaan Egal, FCC Enforcement Bureau Chief and chair of the Privacy and Data Protection Task Force, said in a press release.

The agency said carriers must quickly alert customers of account changes including whenever a password, customer response to “a carrier-designed back-up means of authentication,” or other records are altered.

While not a SIM swap, an incident last week in which Verizon gave a woman’s stalker access to her data — including her address and phone records — underscored the dangers of carriers failing to protect customers. The incident, which was first reported by 404 Media in conjunction with Court Watch, revealed that the stalker used a blatantly fake search warrant to obtain the records from the carrier.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

UK police return £8 million in bitcoin stolen by chronically ill bed-bound thief

Next Post

Credit union operations restored after tech supplier ransomware attack

Related Posts

Glupteba Botnet Evades Detection with Undocumented UEFI Bootkit

The Glupteba botnet has been found to incorporate a previously undocumented Unified Extensible Firmware Interface (UEFI) bootkit feature, adding another layer of sophistication and stealth to the malware. "This bootkit can intervene and control the [operating system] boot process, enabling Glupteba to hide itself and create a stealthy persistence that can be extremely difficult to
Omega Balla
Read More

FBI’s Most-Wanted Zeus and IcedID Malware Mastermind Pleads Guilty

A Ukrainian national has pleaded guilty in the U.S. to his role in two different malware schemes, Zeus and IcedID, between May 2009 and February 2021. Vyacheslav Igorevich Penchukov (aka Vyacheslav Igoravich Andreev, father, and tank), 37, was arrested by Swiss authorities in October 2022 and extradited to the U.S. last year. He was added to the FBI's most-wanted list in 2012. The U.S.
Jason Macuray
Read More

McDonald’s serves up a master class in how not to explain a system outage

The global outage that last month prevented McDonald's from accepting payments prompted the company to release a lengthy statement that should serve as a master  class in how not to report an IT problem. It was vague, misleading and yet the company used language that still allowed many of the technical details to be figured out. (You know you've moved far from home base when Burger King UK makes fun of you— in response to news of the McDonald's outage, Burger King played off its own slogan by posting on LinkedIn: “Not Loving I.T.”)The McDonald's statement was vague about what happened, but it did opt to throw the chain’s point-of-sale (POS) vendor under the bus — while not identifying which vendor it meant. Classy.To read this article in full, please click here
Read More