SIM swap attacks and port-out fraud are major issues, with incidents happening almost daily in the U.S. Now, the FCC is stepping in.

Thieves have been exploiting carrier customer services to commandeer a person's mobile phone line without ever having physical access to the original phone. This gives the attacker access to a person's SMS-based two-factor authentication codes which can be used to access everything from a victim's email account to their cryptocurrency accounts.

The process is known as a "SIM swap attack", and it involves contacting the victim's carrier to initiate a phone number transfer to a SIM card that the thief has in their possession. If successful, the real owner's phone will immediately lose service, and the thief will gain access to all calls and texts sent to their number. The thief then moves quickly, often combining data from a variety of data breaches, to access the victim's accounts and drain them of funds.

A similar method, called a "port-out attack", essentially works the same way as a SIM swap. This attack moves the victim's number to a different carrier, onto a line owned by the thief.

The FCC announced today that proposals are being developed to create new rules surrounding the sim swap process. The commission has apparently received many complaints from victims of these attacks. The rules will seek to require carriers to securely authenticate a customer's identity before allowing number transfers to a new device or carrier.

T-Mobile in particular has had many incidents of SIM swap attacks, not to mention the major data breach back in August. AT&T has similar complaints. Verizon seems to be the least affected by the issue, requiring direct confirmation from the account holder before allowing a sim swap to activate.

For now, it's strongly recommended to use a security key or app-based two-factor authentication and avoid SMS-based 2FA whenever possible. Hopefully, the new rules the commission creates will help to avoid account takeovers in the future.