06/20/2024
Blog
According to TransUnion, account takeovers topped the list of most common fraud types, and per Javelin’s 2024 Identity Fraud Study, this resulted in an estimated $23 billion in losses to consumers in 2023. Unauthorized SIM swaps and port outs are increasing, and communications service providers (CSP) have the immense responsibility of protecting their customers from these insidious attacks.
The Federal Communications Commission order (FCC 23 95A), adopted on November 15, 2023, introduced new rules aimed at protecting consumers from SIM swap and port-out fraud. These types of fraud involve bad actors taking control of a person's phone number by either convincing a wireless carrier to transfer the victim's service to a new SIM card (SIM swap) or by porting the number to a different carrier without authorization (port-out fraud).
The new FCC rules require wireless carriers, including resellers and MVNOs, to implement secure authentication methods and customer alerts in an effort to enhance the security of the SIM card and port processes.
The compliance date set by the FCC for these new rules is July 8, 2024 (conditional on Office of Management and Budget approval under the Paperwork Reduction Act). Notably, the rules focus on general requirements and outcomes, and avoid mandating specific security processes or technology to allow service providers discretion in their implementation. After all, fraudsters can and will adapt their attacks, so carriers' fraud prevention tactics will need to innovate over time.
Additionally, the FCC has issued a Further Notice of Proposed Rulemaking (FNPRM) to seek public comment on fusing these new rules with existing regulations. This could lead to extra measures to strengthen consumer protections. Get more detailed information on the FCC's new rules here.
KEY REQUIREMENTS
The FCC's new rules impose several key requirements on wireless carriers.
Enhanced authentication methods: Carriers must implement secure authentication methods before processing SIM swap and port-out requests for both post- and pre-paid accounts. These methods should be robust enough to effectively verify the identity of the requester. Additionally, carriers should initiate an annual update/review of their authentication approaches.
To comply and protect customers, use inbound and device-based authentication solutions that provide smooth, seamless experiences for legitimate customers in call center and digital channels. You’ll want to look for a data and security provider with solutions that:
Customer notification requirements: Wireless carriers are required to notify customers of SIM swap or port-out requests. This allows customers to quickly identify and respond to unauthorized attempts to take control of their phone numbers. While recommended by the FCC, carriers are not required to have subscribers verify or acknowledge before further processing the request.
A partner like TransUnion can help propagate timely and critical subscriber alerts across multiple channels. For example, TruContact™ Phone Behavior Intelligence data not only helps carriers identify fresh and robust contact details, it also advises on best contact channel and best time to reach out, so critical alerts reach subscribers before it’s too late. Our TruContact Voice Provisioning self-service portal helps orchestrate notifications and if necessary, collect incremental information or acknowledgement from the customer.
Account locks: Wireless carriers will need to provide this feature for both pre- and post-paid subscribers. Similar to credit freezes, an account lock blocks any further SIM swap or port-out requests until the customer deactivates the feature. Carriers are expected to generate awareness and properly educate customers on making use of this feature.
Beyond authenticating subscribers, carriers could use TransUnion port-out automation to easily manage and block port outs due to account locks or mismatched number transfer details, reducing costly system or manual errors.
Safeguards on contact center access to CPNI: Carriers have to limit access to Customer Proprietary Network Information (CPNI) by call center agents until after the customer has been properly authenticated.
Beyond authenticating subscribers, carrier best practice should also include screening for internal fraud vectors through robust background checks with TruLookup Advanced People Search. As with many types of fraud, even the best fraud prevention measures will fail if insiders are collaborating with bad actors.
Tracking effectiveness of protection measures: Moving forward, carriers will have to capture tracking data for three years, including on failed authentications and fraudulent transactions. The FCC will evaluate the effectiveness of the remediation programs and monitor consumer complaints. If the current programs aren’t effective in resolving the fraud issues, the FCC may impose fines or implement more specific requirements in the future.
TransUnion can help carriers track data across all carrier touch points/channels. Specifically, we can maintain data and produce reporting in the following areas: total number of SIM change/port-out requests; successful SIM change/port-out requests; failed SIM change/port-out requests; and successful fraudulent SIM change/port-out requests.
These measures are designed to bolster consumer protections against unauthorized control of their phone numbers, significantly reducing the risk of fraud related to SIM swaps and port-out schemes.
Looking ahead: Combatting SIM swap and port-out fraud effectively
By working with the right partner, wireless carriers can enhance their security protocols to sufficiently meet the FCC's requirements on time.
TransUnion can provide the necessary tools and expertise to create a secure and reliable verification process, thus helping prevent fraud while better ensuring compliance with regulatory mandates, including:
Our solutions help wireless carriers implement the FCC's new rules by enhancing their identity verification processes and fraud detection capabilities, thereby protecting consumers from SIM swap and port-out fraud.