Switching phone carriers without having to change numbers — a process called phone porting — is a convenience available to consumers by the FCC under (47 U.S.C. § 251(b)(2)). The practice, however, has unintentionally allowed for an effective identity theft attack known as “port-out” scams.
Let’s assume a fraudster has stolen your customer’s identity. Either in-person with a fake ID or on the phone, the fraudster can contact a phone carrier and request to phone port. The carrier needs confirmation of the account number and associated pin to complete the request, or may require an in-store reset if the pin is unavailable (though oftentimes, these requirements are bypassed through social engineering). They may also ask security questions based on your customer’s PII, information the fraudster has already stolen and can easily provide. After completing this verification process, in as quickly as a few minutes, the fraudster will have your customer’s phone number active on their own device.
The fraudster will then receive your customer’s phone calls and text messages in real-time. While this is happening, the original account holder will have their service turned off and their phone will become inactive. In a planned attack, the fraudster’s next move could be to request password resets through the account recovery process for every account they are aware of. Secure pins will be sent to the customer’s phone number or email, which is now in the fraudster’s control. Financial institutions may use multi-factor authentication, such as SMS pin codes. Compromised phone access, however, renders such systems moot. Once accounts passwords have been reset, the fraudster can access your customer’s financial accounts to max out lines of credit and leave you to bear the burden of fraudulent transactions.
The fraudster can also open financial accounts under the guise of their victim. Institutions may ask knowledge-based authentication questions or even call if they consider an application suspicious, but with access to the phone number, email, and other PII, a fraudster can bypass these security measures. They might then max out the lines of credit with no intention of repayment, leaving you to foot the bill.
In order to prevent phone porting fraud at your institution, consider:
- Using a third-party vendor that can detect phone porting
- Providing your risk operations team with tools that can detect phone porting during manual review
- Using phone porting data and phone carrier information as features in fraud models
- Asking customers about sudden losses of cell service when they report unauthorized account activity
- Implementing rules in your fraud systems that would prevent account creations or changes with specific phone carriers in case one becomes compromised
