09
Jan 20

Lawmakers Prod FCC to Act on SIM Swapping

Crooks have stolen tens of millions of dollars and other valuable commodities from thousands of consumers via “SIM swapping,” a particularly invasive form of fraud that involves tricking a target’s mobile carrier into transferring someone’s wireless service to a device they control. But the U.S. Federal Communications Commission (FCC), the entity responsible for overseeing wireless industry practices, has so far remained largely silent on the matter. Now, a cadre of lawmakers is demanding to know what, if anything, the agency might be doing to track and combat SIM swapping.

On Thursday, a half-dozen Democrats in the House and Senate sent a letter to FCC Chairman Ajit Pai, asking the agency to require the carriers to offer more protections for consumers against unauthorized SIM swaps.

“Consumers have no choice but to rely on phone companies to protect them against SIM swaps — and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers,” reads the letter, signed by Sens. Ron Wyden (OR), Sherrod Brown (OH) and Edward Markey (MA), and Reps. Ted Lieu (CA), Anna Eshoo (CA) and Yvette Clarke (NY).

SIM swapping is an insidious form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. All too frequently, the scam involves bribing or tricking employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

Once in control of the stolen phone number, the attacker can then reset the password for any online account that allows password resets and/or two-factor verification requests via text messages or automated phone calls (i.e. most online services, including many of the mobile carrier Web sites).

From there, the scammers can pivot in a variety of directions, including: Plundering the victim’s financial accounts; hacking their identities on social media platforms;  viewing the victim’s email and call history; and abusing that access to harass and scam their friends and family.

The lawmakers asked the FCC to divulge whether it tracks consumer complaints about fraudulent SIM swapping and number “port-outs,” which involve moving the victim’s phone number to another carrier. The legislators demanded to know whether the commission offers any guidance for consumers or carriers on this important issue, and if the FCC has initiated any investigations or taken enforcement actions against carriers that failed to secure customer accounts.

The letter also requires the FCC to respond as to whether there is anything in federal regulations that prevents mobile carriers from sharing with banks information about the most recent SIM swap date of a customer as a way to flag potentially suspicious login attempts — a method already used by financial institutions in other countries, including Australia, the United Kingdom and several nations in Africa.

“Some carriers, both in the U.S. and abroad, have adopted policies that better protect consumers from SIM swaps, such as allowing customers to add optional security protections to their account that prevent SIM swaps unless the customer visits a store and shows ID,” the letter continues. “Unfortunately, implementation of these additional security measures by wireless carriers in the U.S. is still spotty and consumers are not likely to find out about the availability of these obscure, optional security features until it is too late.”

The FCC did not immediately respond to requests for comment.

SIM SWAP (CRIM)INNOVATIONS

Legitimate SIM swaps are a common request for all carriers, and they usually happen when a customer has lost their mobile phone or when they need to upgrade to a newer model that requires a different-sized SIM card (the small, removable smart chip that ties the customer’s device to their phone number).

But unauthorized SIM swaps enable even low-skilled thieves to quickly turn a victim’s life upside down and wrest control over a great deal of their online identities and finances. What’s more, the security options available to wireless customers concerned about SIM swapping — such as personal identification number (PIN) codes — are largely ineffective against crooked or clueless mobile phone store employees.

A successful SIM swap may allow tormentors to access a victim’s email inbox even after the target has changed his or her password. For example, some email services allow customers to reset their passwords just by providing a piece of information that would likely only be known to the legitimate account holder, such as the month and year the account was created, or the name of a custom folder or label in the account previously created by the user.

One technique used by SIM swappers to regain access to hacked inboxes is to jot down this information once a SIM swap affords them the ability to reset the account’s password. Alternatively, SIM swappers have been known to create their own folders or labels in the hacked account to facilitate backdoor access later on.

A number of young men have recently been criminally charged with using SIM swapping to steal accounts and cryptocurrencies like Bitcoin from victims. This week, a court in New York unsealed a grand jury indictment against 22-year-old alleged serial SIM swapper Nicholas Truglia, who stands accused of using the technique to siphon $24 million worth of cryptocurrencies from blockchain investor Michael Terpin.

But experts say the few arrests that have been made in conjunction with SIM swapping attacks have pushed many involved in this crime to enlist help from co-conspirators who are minors and thus largely outside the reach of federal prosecutors.

For his part, Terpin sent an open letter to FCC commissioners in October 2019, urging them to mandate that wireless carriers provide a way for customers to truly lock down their accounts against SIM swapping, even if that means requiring an in-person visit to a store or conversation with the carrier’s fraud department.

In an interview with KrebsOnSecurity, Terpin said the FCC has so far abdicated its responsibility over the carriers on this matter.

“It took them a long time to get around to taking robocalls seriously, but those scams rarely cost people millions of dollars,” Terpin said. “Imagine going into a bank and you don’t remember your PIN and the teller says, ‘Oh, that’s okay I can look it up for you.’ The fact that a $9-an-hour mobile store employee can see your high security password or PIN is shocking.”

“The carriers should also have to inform every single current and future customer that there is this high security option available,” Terpin continued. “That would stop a lot of this fraud and would take away the ability of these ne’er-do-well 19-year-old store employees who get bribed into helping out with the scam.”

Want to read more about SIM swapping? Check out Busting SIM Swappers and SIM Swap Myths, or view the entire catalog of stories on the topic here.

Tags: , , , , , , , , , , ,

44 comments

  1. I just want to thank you for being such a valuable resource to those of us in the security industry. Your succinct and reliable reports prove to be highly valuable in this ever changing landscape.

    I don’t know if you ever consider presenting at conferences but each year I help with the American Bankers Association/American Bar Association’s Financial Crimes Conference held in the DC area in early December. While I can’t speak for the organizations, I feel certain if you were interested they would welcome you as a speaker. Just let me know and best regards,

    Kevin Eack

  2. Thanks for the article. Anna Eshoo represents CT, not CA. I don’t think those of us in California even now get three Senators.

  3. The Sunshine State

    The Federal Communications Commission also has to do something about with all the robo-calling with big telecom companies not doing enough to stop the ever increasing amounts of calls .

  4. Hopefully the FCC has the budget to do half of what congress wants them to. Cut backs in costs by regulators is a reality now a days.

    • 8:30am Arrive work 30 minutes late; 8:30 to 9:30 Chat with co-workers; 9:30 to 10am Coffee Break; 10am to 12 noon Listen to Rush Limbaugh on the Radio; 12 to 2pm Lunch; 2pm to 2:30pm Fill out Time Card; 2:30 to 3:30pm Coffee Break; Off at 4:30pm, home by 3:45pm.

      Ten year old boy over heard at school, “My dad works for the FCC and he’s SO FAST he gets off work at 5pm and he’s home by 3pm.”

  5. “Consumers have no choice but to rely on phone companies to protect them against SIM swaps — and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to sure their systems and thus harm consumers,”

    either the letter linked has been updated since you wrote this, or sure should be secure.

  6. Two is the limit per state, but then I’m sure you already know that.

    • That has to be the craziest post I’ve seen in a long time. Even weirder since she is in the house.

      Ro Khanna represents where Silicon Valley workers live. Anna Eshoo represents where their bosses live.

      What we really need is to stop the practice of using SMS for 2FA.

      • Thanks for responding. I should have put @Carl Schwarcz or used the reply button as well.

      • I wondered why Khanna wasn’t a co-signatory. Perhaps the mainstream Dems don’t want a “firebrand” like him on board.

        • I wonder why there are no Republican signers of this letter. I wonder why this administration’s FCC commissioner has not publicly responded to it.

  7. While ajit pai is at the helm, nothing will be done.

  8. I have read many stories about SIM swapping but fail to understand how it is such a menace.

    I have had several accounts with crypto exchanges dating back years. All of these exchanges demand 2FA via authentication apps like Google Authenticator. Not a single one uses SMS.

    As I understand it, if my SIM is swapped, I am safe because – if Google Authenticator was installed on the criminal’s phone even with my number – the app would not generate the correct codes that would allow access to the exchanges. Please let me know if this is incorrect.

    So what am I missing? Why is SIM swapping for crypto such a problem?

    • Because (in the case of cryptocurrency exchanges) people use SMS in spite of OATH/TOTP existing

      In the case of banks, they often don’t offer any better options.

  9. This quote from Terpin suggests that there is a way to prevent SIM swapping that carriers don’t discuss. Is that the case?

    The carriers should also have to inform every single current and future customer that there is this high security option available

  10. It’s all good, except that chairman Pai is a lobbyist and he doesn’t represent people’s interests … so good luck with that paper.

  11. I think I know why no republicans are co-sponsors.

  12. The FCC enforces nothing. They do not operate at any level on behalf of the people. They auction off spectrum that belongs to everyone for the benefit of a handful of companies and the government. Self-licking ice cream cone.

  13. Good luck getting the FCC to help with anything related to communications.

    Long ago, I was involved with supporting an encryption standard for VOIP or digital calling, so that there could be encrypted calling across multiple services. The FCC was no help at all.

    Which is why today only closed systems have encrypted calling. Any service that offers encryption for calls locks in users and does not offer any interoperability with other service providers.

    • Goverment agencies are DEMANDING and doing all they can to force those using proper encryption to either stop using it or to have some sort of mandatory backdoor included… helping implementing any sort of proper protection is obviously completely out of the question.

      Those days where governments existed to help protect privacy, security and relations with other countries seems gone, these “days” they want to spy their bosses (the ones giving them the money) and to take other countries if they can do it without repercussions to themselves that they can’t handle.

  14. Hey folks – I have been a victim of sim hack 4 times so created a service just around it. Check out Dontport

    • I looked at DontPort. The home page is basic sales pitch stuffs, so I looked for reliable opinions elsewhere, from anyone who could evaluate the practical abilities of that service. The only thing I was able to find in the form of third-party reviews seems to be largely unsecured forums where a topic like SIM card security is not capable of being both fairly & truthfully presented

      Basically, it would help if The Krebs were to look into DontPort and render his opinion on that

    • Kenny Blankenship

      This seems a little phishy to me. If you were the victim once, I could see that, but 4 times? How does that happen? Seems like a cheap sales trick. “I was 400 pounds until I tried this simple trick. I lost 250 pounds in 36 hours and YOU CAN TOO!”

  15. Seems like phone carriers could start offering the ability to lock the accounts as a feature.

    • It doesn’t matter if they allow someone at some store to unblock the account, as they probably will.

      The only thing I can imagine is that all mobile providers have a proper secure portal where users get a special random code that allows that exchange (“redirect” to a new card) or even to get a new card with the same number (say: 73621-09384-20032-93843-92833-93843) and new costumers already receive that in the security card that comes with the welcome pack of the mobile operator.
      Of course these must be mandatory and people must get it before changing.
      To make sure is the correct user: they can request phone number, send it a SMS with a password to login the first time and then request on the portal the Original PIN number of the phone number card/eSIM and the PUK number [if they have included that on the security card on the welcomed pack (apparently some mobile operators on USA don’t give that code to costumers upfront)].
      Of course stop allowing costumer support to see that information on the screen, so that hackers can’t just call and ask, or get a job there just to get that information.

  16. “the scam involves bribing or tricking employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device”

    I thought bribery was already against the law and both parties can be punished. As far as tricking employees, sounds like education, not legislation, would address that.

    Why do politicians always want to impose more laws? I guess when you don’t really serve the constituents, this happens. When you are not too bright and are a hammer, the whole world is a nail…

    • You seem to know what it is like being not too bright.

    • It’s government overreach pretending to protect the people. Everyone wants security in place, until they’re on hold for 2-3 hours waiting for a manager to swap over to the latest iPhone. At certain points, it personal responsibility to protect your own information and apply security controls, like MFA. Many cell phone providers are trying to protect their customers data, but it’s not easy keeping up with all the malicious actors trying to steal the info.

    • Democrats can’t help themselves from trying to impose more laws and regulations. Heaven forbid people should enjoy personal freedoms, picking carriers based on what protections they offer and securing their own accounts based on more intelligent choices than 2fA by phone number.

  17. just when I thought this was my safe space for political talk.

    Leave it at the door folks, please.

  18. I’m not sure why everyone is making this political. Recent incident of sim swapping involved insider threats (members of wireless companies accepting bribes) and theft (identity and physical). It’s difficult to protect against these issues in order to prevent sim-swapping. Krebs posted the court documents of recent scammers (for reference of how they did it). Please keep the political bias to yourself and focus on the difficulty of preventing the task.

  19. Before mandating that the FCC or the SIM providers change their rules. Think through all of the scenarios where you might need to change SIMS, and what difficulty you’d like to allow for YOUR account. If the security methods is unacceptable to most users, then it no longer matters much if it is offered, since you will likely refuse to implement it or never learn about it. For instance, if you lose your phone from damage or theft while out of the country or out of state, what should the procedure be that is workable for the carrier and acceptable to you? This is not as easy as it sounds. Replacing a SIM in an emergency is a one-off event, seldom encountered. When it occurs, it will likely be critical and urgent to reestablish or repair access to banks. When it occurs, could you deliver enough proof for a new SIM? Would this identical procedure be acceptable to the carrier and to you, if just upgrading your phone at home? Just lock the account if fraud is suspected? Imagine the chaos you could cause someone by just “swatting their phone’s carrier”.

    Once we identify and implemented, and tested some acceptable methods that are cost effective, then we could start the slow process of getting users familiar with them and they are widely used. Then mandate that all carriers provide these options.

    Mandating a great security option that few use, don’t work, or cost more than they are worth, is precisely why we have the huge political divide. Mandating rules, policies, and agencies that few use or few benefit from the protection, without balancing against costs is at the root of this divide. Just because something “could or should work”, or appears that it “delivers the desired result” does not go far enough to justify the wisdom of imposing these new rules or agencies.

    This is why security is so difficult. Most elements appear to be able to deliver great value, and indeed could. But, implemented into a system improperly, and you get a horrible result, and at great costs.

    Example: I had a friend with a pinball business with many remote out of the way gaming areas that were often targets of stealing the cash boxes. I asked why he didn’t spend the extra $20 per machine to prevent lock picking, and protect from a $200 cash loss. If he prevented access to the key lock, they would just use a crowbar to get the cash, and so destroy a $2,000 pinball. Best cost effective solution was to allow some, but to deter most theft using weak locks. Likely, your windows and doors at home have similar security tradeoffs. However, if this was a “public policy” problem with an agency responsible, the “solution” of mandating the $20 security devices would just “make too much sense” to not enforce a rule to “fix the problem.

    The FCC and every agency is littered with the trash of costly rules and procedures that were well intended, but that couldn’t possibly work, or have proven to fail. Many had great costs and wasted time for all of us. How did that anti-robocall law with the $5k fine work out? Anti-Spam national telephone number registry? (Wasn’t it obvious that NO ONE in their right mind would choose to OPT-IN to Robocalling??) I’m guessing that the US federal government now spends 90% of it’s resources implementing policies that obviously don’t work or cost far more than the intended benefit. But, once rules and procedures are in place with people hired to enforce them, just try to get rid of or change those rules, or the great federal employees that faithfully execute enforcement. No, only by painfully “draining the swamp”, do we correct these unwise rules, procedures, and destroy all or part of the agencies created to enforce them.

    • +1, correct

    • And this is why the Republican anti-regulatory ideology is one of the stupidest things produced by the right wing in the past few decades.

      If you ACTUALLY read the letter, you would have seen that the questions focus on reforms that won’t inconvenience any consumers. And that one of the measures might actually relax some of the privacy regulations getting in the way.

      But your ilk will write massive walls of text without first processing the information you can easily obtain by reading. This is why Republicans can’t get anything done. You put all your energy into misrepresenting the work actually being done.

  20. Mr Welsh, your anti-regulatory screed is exactly why Boeing finds themselves in the position they are in today. In order to save a few bucks and because of regulatory capture of the FAA by Boeing ,hundreds of lives have been lost. All in the name of saving a few bucks. But in your world the loss of a few hundred victims is a suitable trade off. After all look at all the successful flights every year where nobody dies.

    • I’m really not advocating not regs… But, there must be some normal scheme to sunset and get rid of those that don’t work. Anyone with the will, can subvert most rules, if motivated to do so. (Many, but not all, gun laws). When I fly, I DO want to get screened for preventing those dangerous to fly. OTOH, I saw a (then) crippled US senator that was forced to endure 45 minutes at the gate where agents literally tore through all her luggage. Did I feel safer? Would you? of course not. Yet, THAT was evidently, at the time, what the non-common sense rules called for. I would of course welcome close scrutiny when a profiled individual that matched those that were proven to cause much more havoc than an elderly old lady that is in the US senate and not a supporter of terror, but who legislated against it. Mainly, THINK!! More importantly, ensure that systems are in place to allow correction as needed. Today, there are no systems to stop new regs and agencies, not that work. Simply try new things that might work, and do more of them, and kill off the ones that fail, and consume all available resources (like airport screening), that are 90% a waste of time, and everyone knows it. Anyone with common sense, also knows which rules make little sense, and which rules are avoided, that could save lives. Boeing show fire their CEO. Oh, wait.. they did.