October 1, 2021

The U.S. Federal Communications Commission (FCC) is asking for feedback on new proposed rules to crack down on SIM swapping and number port-out fraud, increasingly prevalent scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identity.

In a long-overdue notice issued Sept. 30, the FCC said it plans to move quickly on requiring the mobile companies to adopt more secure methods of authenticating customers before redirecting their phone number to a new device or carrier.

“We have received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud,” the FCC wrote. “Because of the serious harms associated with SIM swap fraud, we believe that a speedy implementation is appropriate.”

The FCC said the proposal was in response to a flood of complaints to the agency and the U.S. Federal Trade Commission (FTC) about fraudulent SIM swapping and number port-out fraud. SIM swapping happens when the fraudsters trick or bribe an employee at a mobile phone store into transferring control of a target’s phone number to a device they control.

From there, the attackers can reset the password for almost any online account tied to that mobile number, because most online services still allow people to reset their passwords simply by clicking a link sent via SMS to the phone number on file.

Scammers commit number port-out fraud by posing as the target and requesting that their number be transferred to a different mobile provider (and to a device the attackers control).

The FCC said the carriers have traditionally sought to address both forms of phone number fraud by requiring static data about the customer that is no longer secret and has been exposed in a variety of places already — such as date of birth and Social Security number. By way of example, the commission pointed to the recent breach at T-Mobile that exposed this data on 40 million current, past and prospective customers.

What’s more, victims of SIM swapping and number port-out fraud are often the last to know about their victimization. The FCC said it plans to prohibit wireless carriers from allowing a SIM swap unless the carrier uses a secure method of authenticating its customer. Specifically, the commission proposes that carriers be required to verify a “pre-established password” with customers before making any changes to their accounts.

According to the FCC, several examples of pre-established passwords include:

-a one-time passcode sent via text message to the account phone number or a pre-registered backup number
-a one-time passcode sent via email to the email address associated with the account
-a passcode sent using a voice call to the account phone number or pre-registered back-up telephone number.

The commission said it was also considering updating its rules to require wireless carriers to develop procedures for responding to failed authentication attempts and to notify customers immediately of any requests for SIM changes.

Additionally, the FCC said it may impose additional customer service, training, and transparency requirements for the carriers, noting that too many customer service personnel at the wireless carriers lack training on how to assist customers who’ve had their phone numbers stolen.

The FCC said some of the consumer complaints it has received “describe wireless carrier customer service representatives and store employees who do not know how to address instances of fraudulent SIM swaps or port-outs, resulting in customers spending many hours on the phone and at retail stores trying to get resolution. Other consumers complain that their wireless carriers have refused to provide them with documentation related to the fraudulent SIM swaps, making it difficult for them to pursue claims with their financial institutions or law enforcement.”

“Several consumer complaints filed with the Commission allege that the wireless carrier’s store employees are involved in the fraud, or that carriers completed SIM swaps despite the customer having previously set a PIN or password on the account,” the commission continued.

Allison Nixon, an expert on SIM swapping attacks chief research officer with New York City-based cyber intelligence firm Unit221B, said any new authentication requirements will have to balance the legitimate use cases for customers requesting a new SIM card when their device is lost or stolen. A SIM card is the small, removable smart card that associates a mobile device to its carrier and phone number.

“Ultimately, any sort of static defense is only going to work in the short term,” Nixon said. “The use of SMS as a 2nd factor in itself is a static defense. And the criminals adapted and made the problem actually worse than the original problem it was designed to solve. The long term solution is that the system needs to be responsive to novel fraud schemes and adapt to it faster than the speed of legislation.”

Eager to weigh in on the FCC’s proposal? They want to hear from you. The electronic comment filing system is here, and the docket number for this proceeding is WC Docket No. 21-341.


42 thoughts on “FCC Proposal Targets SIM Swapping, Port-Out Fraud

  1. TimH

    I’d want the customer option of no action without face to face in a store with photo ID, and the carrier has to store a snapshot of the customer and the employee at the transaction time in the system.

    Lousy if you live in the sticks and other scenarios… but as an option for the paranoid.

    Reply
    1. timeless

      What’s a photo id, and how is a clerk supposed to verify it?

      Please recall high school or college students who used fake ids to buy alcohol.

      And keep in mind that people are likely to be in the wrong state when they ask to perform this task (cellular providers are nationwide).

      Let alone the fun adventure of voter id where not everyone has an “acceptable id”. Or the really fun “covid passport” where most entities that will issue something won’t train anyone to be able to validate anything, not even their own.

      For your amusement: [1][2]

      [1] https://www.npr.org/2018/11/30/672401957/new-mexico-id-temporarily-rejected-as-foreign-by-d-c-clerk
      [2] https://wamu.org/story/17/04/19/many-d-c-residents-tales-confusion-whether-drivers-license-actually-real/

      Reply
      1. Greffe

        Also, you’d put all the smaller carriers that don’t have physical stores out of business.

        Reply
    2. Max Power

      Many people use MVNO providers which have no physical locations.

      Reply
  2. JamminJ

    Understanding Multifactor Authentication is not intuitive. There is complexity and layers of obscurity. Then there are the definitions of each factor that not everyone agrees on.

    The “something you have” can be a very robust authentication factor, IF you truly have it in your possession.

    2FA using a One-Time-Pad (OTP) sent to a mobile phone using SMS is not truly a “possession factor”. Compared to something like an Authenticator App that generates the OTP only on the device, or a hardware token with a private key.

    With SMS, the “something you have” is really a unique IMEI number on your SIM card, which is then “mapped” to a phone number. The cellular carrier controls that mapping, and allows thousands of employees (many are minimum wage teenagers) to modify that mapping.
    So there isn’t really a good possession factor as the end user isn’t in control.

    There is a reason why NIST has been saying SMS isn’t good.
    Companies perhaps should not be allowed to call it Two Factor or Multi Factor authentication at all. Be strict with the definitions.

    Reply
    1. Prashed Dervali

      You should have your own website: this is one ofnthe clearest summations of the issue I jave come across

      Reply
  3. Billy Bob

    I would be happy if the FCC would just stop the @#$%^& car warranty calls…

    Reply
      1. moog

        He’s pretty good, there’s a whole squad of them that are hilariously good trollsploits.

        Reply
    1. Tom

      Don’t forget about the text messages that I have a refund from the DMV, a retailer, my bank, my carrier, etc., awaiting my immediate action. I’m against torture, but some days I have second thoughts.

      Reply
  4. Henry Winokur

    It’s amazing that the FCC feels a need to ask! Perhaps the possibility of some humongous fines against the companies that don’t do their due diligence would convince them to do the work?

    Reply
    1. timeless

      This is government process. In order for the FCC to implement a rule, it has to have an information gathering process. This gives everyone a chance to be “heard” and a chance for the bad actors to cheat the system into producing weak rules. But, if we’re lucky, it might give vaguely good rules and push the world forward.

      Reply
      1. JamminJ

        It really surprises people when they find out the origin of the acronym RFC is, Request For Comment.

        Reply
  5. G.Scott H.

    @JamminJ a One-Time-Pad and what you describe used with SMS are two different things. A One-Time-Pad is a set of pre-established list of codes where ideally only two have a copy and each code is used only once ever for encryption of a message. OTP as associated with SMS 2FA stands for One-Time-Passcode or Password. These are codes pseudo-randomly generated then sent preferably out-of-band commonly via SMS. The distinction is very important to cryptographers, and to others trying to understand better authentication.

    NIST did for a brief time many, many years ago drop SMS as a method of authentication. SMS has numerous issues which preclude its use as a reliable and confidential manner of communicating an authentication factor. NIST reversed course and recommended SMS although as an also ran. I suspect outside influence for this change in heart on SMS by NIST.

    I believe the best approach to multi-factor authentication is to support more than one and allow the end user to make an informed choice as to which is the best for them. A user should also be able to disable those they do not want used for their account, even for emergency access. Speaking of emergency access, this is the weak link of many authentication systems.

    Reply
    1. G.Scott H.

      I’m sorry, the One-Time-Pad definition I provided is not correct. It is even more restrictive. I suggest searching if you are interested.

      Reply
    1. JamminJ

      “eSIM technology makes switching carriers even easier. Instead of waiting for a new SIM card to ship or having to visit a local store to have a new one created, you can make the switch right on your phone, as there are a few new settings devoted to your eSIM card that allow you to switch between lines and carriers and manage accounts. If you’re a dual-SIM user, eSIM technology supports multiple accounts — and switching between them is super easy.”

      If by “solve”… you mean make it worse?

      Reply
  6. Alexandra

    The FCC should ban the use of SMS for MFA. As it stands now, a unique long password with no MFA is safer than allowing SMS to open up access to online accounts. Yubikeys and Authenticator apps should be the MFA options.

    Reply
  7. percony

    simcards does many crime types like spam, data leaked, fishing, more….. end user do not have more than 2.

    Reply
  8. scrappy doo

    caveat emptor
    if something is for free, you and your data is the product they will sell to the highest bidder.
    make no mistake, hackers will hack other hackers malware to profit off them.. just like d boys will raid
    trap houses for money and drugs to sell.
    knowledge is power senors but boondoogle thinks they are immune from complete corruption.
    know they self, the enemy and to fight the good fight till the end.

    Reply
  9. Solutionu

    Do not worry solution here
    Microchip under your skin.
    Thats what the bill gates working on and with all those fraud and id thefts
    It sounds like a perfect way to handle things.
    The first jab its processor second one passport and third one actual chip.

    Reply
  10. Nota Bene

    A password followed by a OTP is a serialized 1-factor authentication and both of the “something you know” category. So in my humble opinion, it will never meet the MFA or 2FA specs. There are way better means to have MFA implemented and I wouldn’t trust a telcom employee for verifying your claimed identity, even not when you show an ID. A colleague of mine’s daughter was victim to ID fraud. A guy managed to get a sim on the name of the lady in question (security cam shows it’s a guy). So far the comparison between ID and person in front of you.

    Reply
  11. jbmartin6

    perhaps instead fo focusing on phone service carriers, some or all of the attention should go to services which use SMS as an authentication backup despite the advice of many, including the carriers themselves, not to do so.

    Reply
  12. vb

    What is this SIM card that everyone is talking about? I can’t find it on my CDMA Sprint phone.

    Reply
    1. JamminJ

      That is why the title also says, “port-out fraud”.
      The physical SIM card is irrelevant.

      Reply
  13. CryptoCure

    One of the main concerns with a SIM swap is of course all the other account credentials that are linked to the number; banking being the most obvious. What is interesting to me, is that while everyone from your bank to Gmail uses your (MNO supplied) mobile number as a part of their security posture, nobody is talking about who must pay for the use of the MNOs SIM, infrastructure and opex to provide a second factor authentication layer.

    What if telcos offered a service in terms of which any account linked to the number, could have a proactive alert notification sent whenever a SIM is swapped? That way the account host (e.g. my bank) can put proactive measures in place to protect the account holder (me). Either the user pays (me), or the host of the account (my bank). Or the telco can offer it free as way to differentiate its offer by demonstrating how serious they are about protecting their subscribers.

    I for one would happily pay a fair monthly premium to ensure that if my SIM is swapped, my bank account limits are immediately and drastically cut until I’ve reinstated it. Or whatever such measures I may have agreed to with my bank (or Gmail, Facebook or Amazon for that matter).

    Here is an interesting Princeton research paper that puts the inherent procedural weaknesses in context: https://www.usenix.org/conference/soups2020/presentation/lee

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *