The FCC has announced new regulations to protect consumers from losing their phone numbers and personal data to scammers who use SIM swapping and port-out fraud techniques. These scams involve transferring a consumer’s phone number to a different device or carrier without their consent, and then using it to access their online accounts and steal their cryptocurrency, identity, or money. The FCC’s new rules require wireless carriers to authenticate their customers’ identity before making any changes to their phone numbers or devices, and to alert them whenever a SIM swap or port-out request is made on their accounts. The FCC also wants carriers to implement additional security measures to prevent fraudulent requests. The FCC’s new rules are based on the recommendations of its Privacy and Data Protection Task Force, which was formed in July 2023. The FCC’s new rules are also a response to the growing number of complaints and losses reported by consumers and law enforcement agencies due to SIM swapping and port-out fraud. According to the FBI, SIM swapping complaints increased from 320 in 2020 to 2,026 in 2021, with total losses exceeding $140 million. The FCC hopes that its new rules will help stop these scams and secure consumers’ phone numbers and information. ¹²³⁴
In recent history:
In December 2021, T-Mobile disclosed another data breach that was linked to SIM swap attacks affecting a “very small number of customers”. The attackers used social engineering or bribery to persuade T-Mobile employees to reassign the phone numbers of the victims to their own devices, and then used them to access their online accounts and information. T-Mobile said it had corrected the issue and notified the affected customers. This breach came after a massive data breach in August 2021 that exposed the personal data of more than 50 million current, former, and prospective T-Mobile users, including phone numbers, addresses, social security numbers, and driver’s license and ID info. T-Mobile said it had partnered with cybersecurity experts and consultants to improve its security and prevent future attacks. ¹⁴
In December 2021, the final member of an international hacking group known as ‘The Community’ was sentenced for his role in a multimillion-dollar SIM hijacking campaign. The group used SIM swapping and port-out fraud techniques to steal cryptocurrency from victims across the U.S. The group either bribed or impersonated mobile phone providers’ employees to transfer the victims’ phone numbers to their own devices, and then used them to bypass two-factor authentication and log into the victims’ cryptocurrency accounts. The group stole tens of millions of dollars in cryptocurrency from individuals who lost from under $2,000 to over $5 million. The group consisted of six members, who were sentenced to prison terms ranging from 10 months to four years, and ordered to pay restitution ranging from $50,000 to over $9.5 million. ²
In August 2023, the FBI announced it had dismantled a global network of hacked computers that was used to conduct SIM swapping attacks and steal cryptocurrency from victims. The FBI seized over $8 million in cryptocurrency from the hackers and removed their malicious code from an unspecified number of infected computers in the U.S. and around the world. The hackers used malware to infect the computers and then used them to send phishing emails and text messages to the victims, pretending to be their mobile phone providers and asking them to verify their account details. The hackers then used the information to perform SIM swaps and port-outs, and then accessed the victims’ cryptocurrency accounts and transferred their funds to their own wallets. The FBI said it had identified and arrested several individuals involved in the scheme, and warned consumers to be vigilant and protect their phone numbers and online accounts. ³
(1) T-Mobile’s Latest Data Breach Linked to SIM Swap Attacks. https://www.macrumors.com/2021/12/29/t-mobile-data-breach-sim-attacks/.
(2) US hacker jailed for role in multimillion-dollar SIM swapping campaign. https://techcrunch.com/2021/12/01/hacker-jailed-sim-swapping/.
(3) FBI announces it has dismantled global network of hacked computers used …. https://www.cnn.com/2023/08/29/politics/fbi-dismantled-network-hacked-computers/index.html.
(4) 37 million T-Mobile customers were hacked – CNN. https://www.cnn.com/2023/01/19/tech/tmobile-hack/index.html.