This attack is known as port-out fraud which is when criminals, using stolen personal information, trick the wireless firm, in this case TracFone, into believing that a customer has made a legitimate request to move his account to another one he has with a different carrier. Instead, the customer’s wireless service is ported over to an account owned by the attacker who then takes over the phone and the apps installed by intercepting phone calls, SMS messages, and two-factor authentication codes. This allows the attacker access to the victim’s bank, securities, credit card and cryptocurrency accounts draining all of the available funds in seconds.
Port-out fraud is similar to a SIM swap. The latter attack involves the criminal asking for and receiving a SIM card attached to a subscriber’s account by pretending to be the customer wither on the web or via a phone call with the wireless company. Once the new SIM card is sent to an address given by the thief to the carrier, the requested SIM is placed in the attacker’s phone allowing him to hijack the customer’s account. Similar to port-out fraud, the thief intercepts phone calls, SMS messages, and two-factor authentication codes allowing him to access and drain the victim’s bank, securities, credit card, and cryptocurrency accounts.,
Verizon bought TracFone in November 2021. | Image credit-PhoneArena
TracFone’s order website was involved in two other incidents which took place in December 2022 and January 2023. Both times the attackers were able to access order information without being authenticated. The bad actors were able to exploit an online vulnerability that wasn’t patched until February 2023. The FCC accused TracFone of failing to reasonably secure the personal information belonging to its customers which is a violation. Wireless carriers are expected to use every reasonable precaution to protect their customers’ personal information.
Section 222 of the Communications Act says that the failure to reasonably secure customers’ proprietary information violates a carrier’s duty. It also constitutes an unjust and unreasonable practice in violation of Section 201 of the Act. In addition to paying the civil penalty of $16 million, as part of the Consent Decree, TracFone has agreed to launch an information security program to reduce API vulnerabilities. Reducing these flaws should make it harder for attackers to find a vulnerability to exploit.
The FCC also had TracFone agree to improve its defense against serious customer attacks via the aforementioned SIM swaps and port-out fraud. The company will also train employees on privacy and security matters.
The Commission has also adopted rules that require carriers to take reasonable measures to discover, report, and protect against attempts to access CPNI (Customer proprietary network information or subscriber data obtained by telecom firms) without authorization.”-FCC