What does port-out scam mean?

06 September 2018

Porting or port-out scams involve the theft of an individual’s mobile phone number via porting services, which is then used to commit fraud. The scam has become a real problem in the US, Europe and Australia, where fraudsters are using stolen numbers to circumvent security measures and access victims’ bank accounts.

Porting is a service offered by mobile phone operators that allows customers to transfer their phone number between SIM cards and/or carriers. An existing network provider sends the customer a Port Authorisation Code (PAC), which they use to transfer their number to the new provider. Unfortunately, this service can be abused by fraudsters.

Armed with a victim’s personal details (stolen during a data breach and purchased on the dark web), criminals are able to trick a network provider into transferring a number onto a SIM card in the fraudster’s control. They can then use the number to intercept text messages and access services linked to the victim’s phone number. In particular, criminals can use a stolen number to get around security features, such as two-factor authentication services used in online banking or to reset passwords.

Port-out fraud is similar to SIM swap fraud, and has much the same result. Rather than porting the victim’s number to a new network provider, SIM swap fraud would see the fraudster impersonate the victim and request a new SIM card for their account in order to gain access to the number.

Subscribe to our  Latest Cyber Decoder newsletter

Why does it matter?

Port-out scams have been around for some time, but there has been a worrying rise in fraudsters using the technique to compromise bank and other accounts. A crypto-currency investor recently filed a lawsuit against AT&T in, what is thought to be, the first civil case involving a port-out or SIM swap scam. The investor is seeking some USD 220 million in damages, after hackers stole the victim’s mobile phone number and used it to access an online account and steal USD 24 million.

Action Fraud Alert (AFA) recently warned that fraudsters have been porting a victim’s telephone number to a SIM card under their control and then using the number to access the victim’s bank accounts. This has resulted in some large losses for victims who have seen thousands of pounds stolen from their bank and credit card accounts, it says.

AFA notes an increase in port-out fraud by customers of the UK bank TSB, which reported heightened fraudulent activity following a problematic IT system migration in April. It appears fraudsters took advantage of TSB’s IT problems and deliberately targeted the bank’s customers, who were locked out of their accounts.

Mobile phone providers are warning customers about the threat of port-out scams and they offer free services that stop criminals from stealing mobile numbers and committing fraud. Mobile phone operator T-Mobile, which says that the industry has experienced an uptick in the number of port-out scams, is encouraging customers to add a passcode feature to their accounts and use strong passwords on any online or mobile account.

The use of port-out scams to circumvent mobile phone based two-factor authentication raises questions for both the mobile and banking industries, as more and more people rely on mobile devices for banking and payment services.

Secure authentication using mobile phones is a developing area, including the use of biometric and multifactor authentication. Last year a group of large telecoms companies – including AT&T, Sprint, T-Mobile and Verizon- joined forces to form the Mobile Authentication Taskforce. They also developed a mobile authentication solution that would help protect consumers from identity and data theft, as well as bank fraud. Earlier this year the group unveiled plans for a multi-factor authentication platform using distributed ledger (blockchain) technology.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on cyber@jltgroup.com.