The United States Federal Communications Commission (FCC) is asking for comment on proposed new rules to crack down on SIM swapping and port number fraud, increasingly popular scams in which identity thieves hijack a mobile phone number from a target and use it to take control of the victim’s online identity.
In a long-awaited notice released on September 30, the FCC said it plans to act quickly to require mobile companies to adopt more secure methods of authenticating customers before redirecting their phone number. to a new device or a new operator.
“We have received numerous complaints from consumers who have suffered significant distress, inconvenience and financial harm as a result of a SIM card swap and porterage fraud,” the FCC wrote. “Due to the severe damage associated with SIM swap fraud, we believe swift implementation is appropriate. “
The FCC said the proposal was in response to a flood of complaints to the agency and the United States Federal Trade Commission (FTC) on fraudulent SIM card exchange and number transfer fraud. SIM swapping occurs when fraudsters trick or bribe an employee of a mobile phone store to transfer control of a target’s phone number to a device they control.
From there, attackers can reset the password of almost any online account linked to that mobile number, as most online services still allow users to reset their passwords just by clicking on a link sent by SMS to the registered phone number.
The crooks commit number forwarding fraud by posing as the target and requesting that their number be transferred to another mobile phone provider (and to a device controlled by the attackers).
The FCC said carriers have traditionally sought to combat both forms of phone number fraud by requiring static customer data that is no longer secret and has already been exposed in various places, such as date of birth and the social security number. As an example, the commission pointed to the recent T-Mobile breach that exposed this data on 40 million current, past and potential customers.
In addition, victims of SIM swaps and porting fraud are often the last to be informed of their victimization. The FCC said it plans to ban mobile carriers from allowing a SIM card swap unless the carrier uses a secure method to authenticate its customer. Specifically, the commission proposes that carriers be required to verify a “pre-established password” with customers before making changes to their accounts.
According to the FCC, several examples of preset passwords include:
-a one-time password sent by SMS to the account phone number or to a pre-registered backup number
-a one-time password sent by email to the email address associated with the account
-an access code sent by voice call to the account telephone number or to the pre-recorded emergency telephone number.
The commission said it also plans to update its rules to require mobile operators to develop procedures to respond to unsuccessful authentication attempts and immediately notify customers of any SIM change requests.
Additionally, the FCC has said it may impose additional customer service, training, and transparency requirements for operators, noting that too many customer service staff at wireless operators lack training on how to help customers who have had their phone number stolen.
The FCC has said that some of the consumer complaints it has received “describe customer service representatives of mobile carriers and store workers who are unsure of how to handle cases of fraudulent SIM exchanges or porting,” forcing customers to spend many hours on the phone and in retail stores trying to get a resolution Other consumers are complaining that their mobile carriers have refused to provide them with documents relating to fraudulent SIM card exchanges , which makes it difficult for them to make any claims with their financial institutions or the police.
“Several consumer complaints lodged with the Commission allege that the employees of the wireless operator’s store are involved in the fraud, or that the operators have carried out SIM card exchanges when the customer has already set a PIN code or a password on the account, “the commission continued.
Allison Nixon, a specialist in SIM swap attacks and head of research at New York-based cyber intelligence firm Unit221B, said any new authentication requirements will need to balance legitimate use cases for customers requesting a new SIM card when their device is lost or stolen. . A SIM card is the small removable smart card that associates a mobile device with its operator and its telephone number.
“At the end of the day, any sort of static defense will only work in the short term,” Nixon said. “Using SMS as a 2nd factor in itself is a static defense. And the criminals adapted and made the problem worse than the original problem it was supposed to solve. The long-term solution is that the system must be responsive to new fraud patterns and adapt to them faster than the speed of legislation. “
Eager to weigh in on the FCC’s proposal? They want to hear from you. The electronic comment filing system is here, and the file number for this proceeding is WC Docket No. 21-341.