Increasingly forceful measures against Port-out fraud and SIM swapping

SIM swap fraud and port-out fraud are threats that have led authorities in various countries to consider stricter regulatory actions, as operators’ responses to these attacks have so far been inadequate.

I

n January 2024, the Federal Communications Commission (FCC) of the United States launched the regulation “Protecting Consumers from SIM-Swap and Port-Out Fraud, FNPRM,” with the primary goal of protecting users from these fraudulent practices and raising awareness among companies about the commitment they must make by implementing a wide range of measures. These measures include: 

• Telecom companies will be required to use more secure authentication methods to verify users’ identities before making changes to their accounts, such as SIM replacement or phone number transfer. 

• They will also immediately notify users when any request is made to change their account, such as SIM replacement or phone number transfer. 

• Additional security measures will be implemented to protect users’ personal information, including the use of encryption and protection against phishing attacks. 

• Employee training to identify and prevent fraud attempts will be an essential focus. 

• Telecom companies will be obligated to report incidents of SIM swapping and port-out fraud to the FCC. 

More than a year after its approval, some operators have adapted their processes, while others face challenges for delays or non-compliance.

What do these frauds consist of? 

Let’s examine how these two strategies work and the extent of the damage they can cause. 

SIM swapping, also known as SIM card theft, involves fraudulently obtaining a duplicate of a user’s mobile phone SIM card. Once cybercriminals have the cloned card, they can intercept the user’s text messages and calls, and in some cases, even gain access to their bank accounts and social media accounts. 

Cybercriminals use various methods to carry out SIM swapping. In some cases, they obtain the victim’s personal information through social engineering, phishing, or even by purchasing data on the dark web. With this information, they impersonate the legitimate user with the telecom company and request a replacement or duplicate SIM card. 

In other cases, cybercriminals exploit vulnerabilities in the telecom operators’ systems to intercept or divert text messages containing verification codes to access the victim’s accounts. 

In summary, the structure of this procedure consists of the following steps: 

• Selection of the victim and information gathering: The criminals obtain information about the victim to persuade telecom operators to transfer the number. 

• Transfer request: They contact the operator, pretending to be the victim, to request the transfer of the number. 

• Interception of messages: They use the compromised number to intercept one-time passwords (OTPs) and gain access to accounts. 

• Transfer back: To avoid suspicion, they may transfer the number back to the victim’s original device. 

On the other hand, number porting fraud, also known as fraudulent porting, phone number theft, or number hijacking, involves transferring a user’s phone number from one telecom company to another without their consent. Cybercriminals carry out this fraud to access accounts and services associated with the victim’s phone number, such as online banking, social media, or even email. 

After stealing personal information through techniques we’ve already discussed, the criminals impersonate the legitimate user with the destination telecom company and request the number porting. To complete the porting, the destination company usually sends a verification code (OTP) to the victim’s phone number. The cybercriminals, who already control the number thanks to SIM swapping or other techniques, intercept this code and use it to complete the porting without the legitimate user’s knowledge. 

How consumers can tell they are victims of SIM swapping or number porting fraud 

Prevention is the best weapon against fraud, and knowing how to interpret signs of fraudulent activity can help citizens stay safe from SIM swapping or port-out fraud. 

• Inability to make calls or send text messages: If a user experiences failures when trying to communicate, whether by calls or messages, it could be a sign that their SIM card has been deactivated by fraudsters to take control of their phone number. 

• Notifications of activity on another device: If a user receives alerts from their telecom operator indicating that their SIM card or phone number has been activated on another device, it is a clear sign that something is wrong. 

• Inability to access accounts: If a user suddenly cannot log into their bank accounts, social media, or any other online service using their usual credentials, it is possible that the fraudsters have changed their passwords and usernames after gaining access to their phone number. 

• Unrecognised transactions in bank accounts: The user should carefully review their bank and credit card statements. If they detect transactions they did not make, it is likely that the fraudsters have accessed their financial information and are already using it fraudulently. 

How to prevent SIM swapping attacks 

A strategic combination of technology and best security practices is key to containing the phenomenon of SIM swapping fraud. 

Using specialised software to detect SIM swap attempts is one of the first lines of defence. These tools monitor suspicious activities and alert users and mobile service providers to potential fraud attempts. They can identify unusual patterns in SIM change requests and prevent unauthorised access. 

Two-factor authentication adds an extra layer of security by requiring two forms of verification (or more, in which case it is called multi-factor authentication or MFA) before allowing access to an account. In addition to the username and password, users must provide a code sent to a trusted device. This makes it more difficult for fraudsters to access accounts even if they manage to obtain the login information. 

Examining mobile phone numbers without interrupting the user experience is possible with phone number intelligence tools. These solutions allow for the verification of a number’s authenticity and the detection of suspicious activities associated with fraud attempts. 

Silent network authorisations are less vulnerable to social engineering scams. This method enables verification and authorisation of changes within the network without alerting fraudsters, providing an additional layer of security for user information. 

Lastly, biometric authentication, increasingly prominent in identity and access schemes, such as facial recognition or fingerprint scanning, is another robust alternative to traditional passwords. These techniques are difficult to hack and offer superior security. Implementing biometric methods can significantly reduce the risk of unauthorised access. 

International regulation and the global context of SIM swapping

The global impact of SIM swapping and port-out fraud has driven a regulatory response that goes beyond the borders of the United States. The FCC’s 2024 regulation marked a turning point, but other countries and regional blocs have also begun to address this phenomenon within their own legal and data protection frameworks, tailoring measures to fit their respective systems.

European Union: digital identity and data protection

While the European Union does not have a regulation specifically targeting SIM swapping, several initiatives indirectly address the issue:

• eIDAS 2.0 regulation: Approved in 2024, this regulation lays the groundwork for the European Digital Identity (EUDI Wallet), which includes high-security authentication mechanisms. The implementation of a standardized and verified digital identity could reduce the risk of SIM swapping by centralizing and strengthening user validation.

• General Data Protection Regulation (GDPR): Requires service providers to adequately protect users’ personal data. Data breaches that enable SIM swapping can lead to penalties if negligence in data handling is demonstrated.

• Some countries, such as Spain, Germany, and France, have begun requiring enhanced two-factor authentication for changes involving sensitive data, including the phone number linked to digital or banking services.

Canada: focus on telecommunications and consumer protection

In Canada, the Canadian Radio-television and Telecommunications Commission (CRTC) has increased pressure on telecom operators to improve identity verification practices.

Since 2023:

• Operators are required to implement anti-fraud measures before completing SIM swap or porting requests.

• The use of biometric verification and unique tokens is being promoted as an alternative to SMS-based verification codes.

• The Office of the Privacy Commissioner has also started investigating SIM swap incidents as privacy violations, setting new legal precedents.

Brazil: LGPD and financial regulation

In Brazil, the Lei Geral de Proteção de Dados (LGPD) and the increasing digitalization of the banking sector have led the National Telecommunications Agency (ANATEL) to enforce mandatory alerts and robust validation mechanisms.

Additionally:

• Some banks now use cross-checks between telecom operators and financial institutions before authorizing sensitive transactions, as part of their fraud prevention systems.

• Public-private collaboration on anti-fraud intelligence platforms is growing, with particular focus on SIM swapping and similar attacks.

A common trend: stronger authentication and shared responsibility

The global narrative is clear: the burden of cybersecurity no longer lies solely with the user. Regulators are demanding that telecom providers, banks, and digital service platforms share the responsibility through:

• Mandatory multi-factor authentication (MFA).

• Real-time alerts for account changes.

• Sanctions for malpractice or negligence.

• Cross-sector coordination to track and respond to fraud incidents.

Adopting these practices and technologies not only enhances security against SIM swapping but also protects data integrity and user trust in security systems overall. 

As these activities continue to grow, along with the resulting millions in economic losses, it will be necessary to legislate firmly and keep defensive strategies up-to-date. 

Seek personalised advice from our security experts and protect your business