Home M3AAWG Blog Making phone number porting more secure

By Bill Wilson and John Levine

Local Number Portability (LNP) is available in many countries and regions. This service, popularized by consumer mobile phone use and commonly known as number porting, enables users to retain their telephone number when switching from their existing communications service provider (or carrier) to a new service provider. In many cases, LNP support is legally mandated, and the mandates may include strict process requirements and timeframes for action by the existing service provider. 

Typically, there are requirements for consumer consent, and the burden of obtaining this consent is often assigned to the new service provider -- not the existing service provider.  Unfortunately, criminals have exploited LNP to steal phone numbers from unwitting victims. Once criminals have control of the user’s phone number, they can receive security codes intended for the victim and compromise the victim’s financial accounts.

In many cases, the exploit is achieved by masquerading as the legitimate number owner while applying for service with a new communications service provider. The new communications service provider, believing it has obtained consumer consent, then sends a request to their existing communications service provider for the number to be ported. Sadly, strictly prescribed processes and/or timelines may prevent the existing service provider from confirming consumer consent.  

At this time, not all communication service providers require their existing customers to confirm the porting request. In turn, an attacker can shop for a new service provider with weak consumer authentication and repeat attacks until the masquerade is successful. Confirmation by the existing service provider can prevent most porting fraud but may be inhibited by porting processes and timelines that do not allow time for this confirmation.  

We encourage regulators to ensure that regulation timelines do not prevent, but rather encourage existing communication service providers' confirmation of consumer consent. We also encourage all service providers to protect their customers by confirming their existing consumers' porting consent, thus making LNP, as well as services that use phone validation, more secure.



The views expressed in DM3Z are those of the individual authors and do not necessarily reflect M3AAWG policy.