Full Report
The feature is available for both consumer and business accounts. The post AT&T deploys new account lock feature to counter SIM swapping appeared first on CyberScoop.
Analysis Summary
The provided article focuses on a telecommunications carrier (AT&T) deploying a specific security feature to combat SIM swapping attacks. The recommendations will therefore be tailored around account security controls, especially related to mobile service providers, and general best practices mentioned within the context of these advanced threats.
# Best Practices: Combating Mobile Account Takeovers and SIM Swapping
## Overview
These practices focus on implementing proactive security controls, particularly carrier-level account locks, to prevent unauthorized account takeovers facilitated through social engineering tactics like SIM swapping. SIM swapping allows attackers to redirect a victim's phone number to a device they control, bypassing SMS-based two-factor authentication (2FA) and gaining access to sensitive accounts.
## Key Recommendations
### Immediate Actions
1. **Enable Carrier Account Lock Features:** Immediately investigate and activate any available "Account Lock" or "Port/Transfer Freeze" features offered by your mobile service provider (similar to AT&Tâs Wireless Account Lock).
2. **Secure Mobile Account Access:** Ensure that access management for your mobile account (via the carrier's app or website) is restricted exclusively to primary account holders or authorized administrators, preventing regular users from making critical changes.
3. **Implement Strong Secondary Authentication:** Where possible, transition away from SMS-based 2FA. Immediately transition all critical accounts (email, banking, cloud services) to use stronger methods like hardware security tokens, dedicated authenticator applications, or passkeys.
### Short-term Improvements (1-3 months)
1. **Review Authorized Users:** Audit all users authorized on mobile accounts (especially for business/corporate plans) and revoke permissions for any individuals who do not strictly require administrative control over sensitive settings (billing, line transfers, device changes).
2. **Establish Account Change Notification Protocols:** Verify that settings are configured to send immediate change notifications (via primary email and all active numbers) for any modification attempts to billing, users, or number transfers.
3. **Educate End Users:** Conduct mandatory training sessions clarifying the risks of SIM swapping and emphasizing that carrier support staff will **never** ask for sensitive details over the phone to make high-risk changes without multi-factor verification.
### Long-term Strategy (3+ months)
1. **Adopt Identity Management Standards:** Develop and integrate comprehensive mobile communication security guidelines, referencing standards like those set forth by CISA, specifically designed to combat social engineering and account interference.
2. **Business Account Granularity:** For corporate plans, implement Business Account Lock features that allow administrators granular control, ensuring feature restrictions can be applied line-by-line based on an employee's role and required access level.
3. **Periodic Security Audits:** Schedule recurring audits (quarterly or semi-annually) of mobile account security configurations across the organization to ensure default settings have not been inadvertently lowered or overridden.
## Implementation Guidance
### For Small Organizations
- **Prioritize App Usage:** Focus resources on ensuring the primary account manager uses the carrier's dedicated mobile application, as direct manipulation via the app is often the most secure, app-gated method to manage advanced locks/settings.
- **Centralized Management:** If an organization has a shared family plan or small business plan, designate one technically proficient individual as the sole administrator responsible for account lock settings.
### For Medium Organizations
- **Policy Development:** Formalize an official Mobile Device Security Policy that requires the use of non-SMS 2FA for all corporate resources accessible via mobile devices.
- **Phased Rollout:** Implement the account lock features across all business lines systematically, testing impact on legitimate operational changes before full mandatory deployment.
### For Large Enterprises
- **Integrate with IAM:** Explore carrier integrations or APIs (if available) that allow the centralized Identity and Access Management (IAM) system to verify or influence the status of enterprise mobile accounts.
- **Specialized Training:** Implement targeted training for IT/Security teams on handling carrier support escalations requiring restoration or recovery of a compromised mobile line.
## Configuration Examples
| Feature | Configuration Goal | Action/Setting | Restricted Activities |
| :--- | :--- | :--- | :--- |
| **Wireless Account Lock** (General) | Strictly limit high-risk account modifications. | Activate via Mobile Carrier App/Portal. | Changes to billing, User/Authorized List, Number Transfers, Device Purchases, SIM/eSIM Swaps, New Line Additions. |
| **Access Management** (General) | Restrict management privileges. | Ensure only Primary/Secondary Account Holders can toggle lock settings. | Prevention of regular users managing lock settings. |
| **Prepaid Account Variants** | Apply comparable blocking controls. | Verify variant feature activation (if applicable). | Functionality equivalent to postpaid account restrictions within prepaid structure. |
| **Notification Settings** | Ensure transparency for all changes. | Confirm Primary Email and Active Numbers receive immediate alerts. | Prevention modification without user awareness. |
## Compliance Alignment
While the article focuses on carrier implementation, these practices align with general security frameworks:
* **NIST SP 800-63B (Digital Identity Guidelines):** Strong alignment with requirements for stronger authentication factors beyond SMS (e.g., requirements for MFA).
* **CIS Critical Security Controls (CSC):** Relates to CSC 1 (Inventory and Control of Software) and CSC 4 (Secure Configuration of Enterprise Assets), extending security principles to the mobile access layer.
* **CISA Mobile Security Guidelines:** The deployment of account locks directly addresses the threat landscape highlighted in recent CISA guidance regarding mobile communication security against sophisticated attacks.
## Common Pitfalls to Avoid
1. **Over-reliance on SMS 2FA:** Treating SMS-based authentication as sufficient security when highly targeted attacks like SIM swapping are active.
2. **Inconsistent Application:** Deploying strong controls for corporate systems but neglecting the foundational weakness at the mobile carrier account level.
3. **Single Point of Failure for Recovery:** Not establishing out-of-band recovery plans (e.g., knowing how to regain access if the primary recovery email linked to the carrier account is also compromised).
4. **Ignoring Prepaid Users:** Assuming prepaid users are outside the scope of high-risk account takeover attempts.
## Resources
- **CISA Mobile Security Best Practices:** Consult CISA's official guidelines for comprehensive mobile defense, especially following large-scale incidents. (Search for CISA mobile security guidelines).
- **Hardware Security Tokens/Passkeys:** Resources for implementing solutions like YubiKeys or dedicated authenticator apps for application-level 2FA. (Refer to NIST 800-63B guidance for approved authenticators).