Full Report
AT&T has launched a new security feature called "Wireless Lock" that protects customers from SIM swapping attacks by preventing changes to their account information and the porting of phone numbers while the feature is enabled. [...]
Analysis Summary
# Best Practices: Mitigating SIM Swap Attacks
## Overview
These practices focus on preventing unauthorized SIM card swaps (also known as number porting or SIM hijacking), which criminals use to gain control of a victim's phone number, typically to bypass Multi-Factor Authentication (MFA) or conduct social engineering against service providers. The context highlights carrier-level controls (like AT&T's Wireless Lock) and the need for robust identity verification.
## Key Recommendations
### Immediate Actions
1. **Enable Carrier Locking Features:** If available from your mobile service provider (e.g., AT&T's "Wireless Lock"), immediately activate this feature to require explicit authorization for any changes to the mobile account or SIM card.
2. **Implement Multi-Factor Authentication (MFA) *Not* Reliant on SMS:** Transition critical accounts (email, banking, cloud services) away from SMS-based MFA to stronger methods like authenticator apps (TOTP) or hardware security keys (FIDO2/WebAuthn).
3. **Review Account Security Credentials:** Immediately change account passwords for critical services and ensure they are strong and unique.
### Short-term Improvements (1-3 months)
1. **Strengthen Identity Verification Protocols (If you are a Carrier/Service Provider):** Implement mandatory, stringent multi-factor identity checks for *all* account changes, including SIM swaps, number transfers, and online account access. This should go beyond easily obtainable personal information.
2. **Establish PINS/Passcodes with Carriers:** Contact all mobile carriers to set a unique, complex account PIN or password that must be provided verbally or digitally before *any* administrative changes are permitted.
3. **Educate Employees on Insider Threats:** Conduct mandatory training detailing common social engineering tactics used against carrier employees (e.g., bribery attempts, pretexting) to prevent internal collusion in SIM swaps.
### Long-term Strategy (3+ months)
1. **Adopt Device-Level Security Monitoring:** Implement solutions that monitor for unexpected SIM changes or device activations, triggering immediate, high-priority alerts to the user and security team.
2. **Standardize eSIM Usage (Where Applicable):** Encourage or mandate the use of eSIMs where carriers support robust digital provisioning security, as these can sometimes offer a more secure change process than physical SIM swapping, though eSIM account security must still be heavily layered.
3. **Implement SIM Swap Detection Services:** Integrate threat intelligence feeds or specialized services that proactively monitor for any indicators of SIM swap activity targeting key personnel or corporate assets.
## Implementation Guidance
### For Small Organizations
- **Focus on MFA Migration:** Since you may lack direct carrier leverage, prioritize ensuring all staff use app-based MFA (like TOTP) for high-value accounts, effectively neutralizing the immediate threat of a successful SMS interception.
- **Assign a Single Security Contact:** Designate one trusted individual to manage all carrier account security details, reducing the attack surface from multiple employees holding sensitive information.
### For Medium Organizations
- **Develop a Communications Protocol:** Create an official, out-of-band communication procedure (e.g., a specific chat channel or secure management portal) that must be used to verify identity if a staff member claims their phone line has been compromised or ported.
- **Audit Employee Device Usage:** Maintain an accurate inventory of all corporate and personal devices accessing sensitive data, cross-referencing this with carrier records when feasible.
### For Large Enterprises
- **Establish Carrier Security Partnerships:** Formalize direct communication and rapid response channels with primary mobile carriers to address suspected SIM swaps involving executive staff or critical IT personnel immediately.
- **Implement Internal Access Control Policy Updates:** Update policies to explicitly forbid the use of mobile numbers as the *primary* or *sole* recovery mechanism for corporate single sign-on (SSO) systems.
## Configuration Examples
*Note: Specific configuration details rely heavily on the carrier. The focus here is on the protective layer required.*
**Carrier Account Security (Conceptual):**
1. **Account PIN/Password:** Set a *non-obvious, alphanumeric* 8-10 character password for account access, separate from standard account security questions that can be easily researched.
2. **Wireless Lock/Port Freeze Status:** Confirm status is set to "Locked" or "Do Not Port," requiring an in-person or verified secondary authentication (e.g., authenticated email or security token) for release.
## Compliance Alignment
- **NIST SP 800-53 (AC-2, IA-2, SC-17):** Focuses on authentication assurance levels and session identification management, which SIM swap attacks directly target.
- **CIS Critical Security Controls (Control 16: Account Monitoring and Control):** Specifically addresses monitoring and responding to changes in user access and identity configuration.
- **FCC Rules:** Adherence to new FCC requirements regarding stricter identity verification for number portability and SIM transfers.
## Common Pitfalls to Avoid
- **Relying Solely on SMS 2FA:** This is the primary vulnerability exploited by SIM swap attacks; treat SMS codes as a low-assurance MFA factor.
- **Using Easily Discoverable Security Answers:** Avoid using common information (pet names, birth dates, addresses) as answers to security questions used by carriers for identity verification.
- **Failing to Lock Accounts Proactively:** Assuming carrier security is sufficient without enabling client-side account locks or freezes.
- **Not Having an Out-of-Band Recovery Plan:** Having no alternative way to access critical accounts if the primary phone number is suddenly lost.
## Resources
- Carrier-specific security feature guides (e.g., checking the "Wireless Lock" status on AT&T's website).
- Documentation on implementing and migrating to Authenticator Apps (TOTP) for MFA providers (e.g., Google Authenticator, Microsoft Authenticator documentation).
- FCC guidelines documentation regarding consumer protection from SIM swapping.