The Federal Communications Commission (FCC) is going to set new rules to curb the rising threat of SIM swapping, also known as SIMjacking.
SIM swapping (and the very similar port-out fraud) is the unlawful use of someone’s personal information to steal their phone number and swap or transfer it to another device. Once this happens, the scammer can use the device to receive calls and messages intended for the victim. SIM swapping is often used to intercept codes sent by SMS that are used in some forms of two-factor authentication (2FA).
SIM swapping is difficult to scale up into large attacks against lots of people at the same time, but it is often used to target specific, high-value individuals.
Early last year, US senators wrote a letter to the FCC urging it to do something about the rising problem of SIM swapping:
The impact of this type of fraud is large and rising. According to the Federal Trade Commission, the number of complaints about SIM swaps has increased dramatically, from 215 in 2016 to 728 through November 2019, and consumer complaints usually only reflect a small fraction of the actual number of incidents.
It went on to say that SIM swapping “may also endanger national security”:
SIM swap fraud may also endanger national security. For example, if a cyber criminal or foreign government uses a SIM swap to hack into the email account of a local public safety official, they could then leverage that access to issue emergency alerts using the federal alert and warning system operated by the Federal Emergency Management Agency.
According to its recent release, the FCC “has received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud. In addition, recent data breaches have exposed customer information that could potentially make it easier to pull off these kinds of attacks.”
Currently, the proposals boil down to requiring better checks, and quicker notifications:
[The FCC] proposes to amend the Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require carriers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or carrier. It also proposes requiring providers to immediately notify customers whenever a SIM change or port request is made on customers’ accounts.”
Many are already happy upon receiving this news, vague as it is.
Of course, specifics need to be laid out as so to how carriers can help potential SIM swap victims and how they generally safeguard all their users.