Full Report
The feature is available for both consumer and business accounts. The post AT&T deploys new account lock feature to counter SIM swapping appeared first on CyberScoop.
Analysis Summary
# Best Practices: Mobile Account Security Against SIM Swapping
## Overview
These practices focus on hardening mobile phone accounts against SIM swapping and account takeover attacks, often facilitated by social engineering. The core recommendation, exemplified by industry deployment, is to implement strong, identity-verified account locking mechanisms accessible via mobile applications.
## Key Recommendations
### Immediate Actions
1. **Activate Carrier Account Lock:** Immediately enable any available "Wireless Account Lock" or similar feature offered by your mobile service provider (e.g., AT&T Wireless Account Lock, T-Mobile's protection).
2. **Verify Access Management:** Confirm that only primary and secondary account holders can manage critical security settings, locking out regular multi-line users from making sensitive changes.
3. **Review Notification Settings:** Ensure that notifications for any changes to account settings (billing, authorized users, device swaps) are immediately sent to the account's primary email address and all active phone numbers.
### Short-term Improvements (1-3 months)
1. **Implement Advanced Authentication:** Deploy or transition to “password-less” systems for critical online services, prioritizing hardware tokens, dedicated authenticator apps (TOTP), or Passkeys over SMS-based Two-Factor Authentication (2FA).
2. **Audit Email Security:** Strengthen the security of the email address linked to the mobile account, as it often serves as a pathway for password resets or lock change notifications. Apply strong, unique passwords and MFA (using non-SMS methods) to the primary email.
3. **Educate Account Holders:** Inform all primary/secondary account holders exactly how to toggle their carrier account locks on/off and what steps to take if they receive unauthorized change notifications.
### Long-term Strategy (3+ months)
1. **Develop Organizational Mobile Security Policy:** For business accounts, establish a formal policy mirroring CISA guidelines for safeguarding mobile communications, specifically addressing social engineering vulnerabilities like SIM swapping.
2. **Granular Business Control Implementation:** If applicable, utilize "Business Account Lock" features to apply granular restrictions on which advanced features can be restricted per line, ensuring compliance across different corporate roles.
3. **Periodic Review of Carrier Controls:** Establish a recurring calendar event (quarterly or bi-annually) to re-verify that account locks are active and that recovery methods (email, recovery phone numbers) are current and highly secured.
## Implementation Guidance
### For Small Organizations
- **Prioritize App Management:** Mandate that account lock features are managed exclusively through the carrier's official mobile application, as this limits administrative access to company-owned or personally identifiable devices.
- **Single Point of Contact:** Designate one trusted individual (who has strong personal security hygiene) as the primary account manager to reduce confusion over who can toggle the lock.
### For Medium Organizations
- **Implement Business Account Lock:** Leverage the administrative controls of the Business Account Lock feature to segment security policies based on employee roles (e.g., locking down executive lines more strictly than field staff lines).
- **Device Provisioning Policy:** Ensure new line provisioning or device upgrades (which bypass locks if initiated incorrectly) are centralized through IT/Administration rather than allowing individual employees to execute them unmonitored.
### For Large Enterprises
- **Integrate Identity Management:** Explore how carrier identity verification processes (if managed via corporate contracts) can integrate with internal Identity and Access Management (IAM) systems to streamline account management while maintaining the integrity of external carrier locks.
- **CISA Guideline Integration:** Formally adopt and document compliance against frameworks like CISA’s mobile security guidelines for combating SIM swapping within the formal IT security framework.
## Configuration Examples
| Account Action Restricted by Wireless Account Lock | Status (when locked) |
| :--- | :--- |
| Changes to billing information | **Blocked** |
| Changes to authorized users | **Blocked** |
| Transfers of wireless numbers to new accounts (Porting) | **Blocked** |
| SIM or eSIM swaps between devices | **Blocked** |
| Addition of new lines | **Blocked** |
| Device purchases or upgrades billed to the account | **Blocked** |
*Note: Access to manage these lock settings is restricted to primary and secondary account holders.*
## Compliance Alignment
- **NIST SP 800-63 (Digital Identity Guidelines):** Aligns with the principles of robust Identity Proofing and Authenticator Assurance Levels (AALs), especially when moving away from less secure SMS-based MFA.
- **CISA Mobile Security Best Practices:** Directly supports CISA's guidance aimed at safeguarding mobile communications and preventing account takeover vectors like SIM swapping.
## Common Pitfalls to Avoid
1. **Relying Solely on Traditional Passwords:** Assuming a complex password mitigates SIM swapping. SIM swapping bypasses credential entry and targets the phone number itself as the authentication factor.
2. **Inaccessible Emergency Access:** Setting up a lock without having a clear, validated recovery path (e.g., losing access to the registered device *and* the recovery email simultaneously).
3. **Ignoring Prepaid Accounts:** Assuming prepaid accounts are inherently more secure or exempt from SIM swapping threats. Prepaid accounts must have comparable blocking features enabled.
## Resources
- **Carrier Mobile Application:** The primary interface for enabling/disabling account locking features.
- **CISA Guidance:** Consult official Cybersecurity and Infrastructure Security Agency documentation regarding mobile security best practices for detailed adversary tactics and defense strategies.