· 3 min read

The FCC Wants to Crack Down on SIM Swapping

Francis Tuffy
Francis Tuffy · Editor
The FCC Wants to Crack Down on SIM Swapping

The US Federal Communications Commission (FCC) has released its proposed cybersecurity rules including an attempt to prevent the serious problem of SIM swapping a common form of digital identity theft that is particularly difficult to protect against. A recent article in Popular Science 1 looks at the what, how and where of this growing type of identity fraud.

What is SIM swapping?

SIM swapping refers to a type of fraud where attackers take over your phone number and use it to authenticate accounts that you own. If you have two-factor authentication, you will usually get a verification code sent to your phone in order to get into your accounts. That authentication process is the reason most hackers will SIM swap, because it’s an easy way to get into people’s email and bank accounts once they have the phone number.

For example, if you’ve ever logged onto an account and then received a confirmation code via text message to your phone, then you’ve experienced the moment that the hackers exploit.

‘SIM swapping attacks have increased dramatically in the last year in different countries, not only in the United States, but also in Canada and in Europe,’ says Benjamin Fung, a professor in the School of Information Studies at McGill University, Montreal. He notes that the practice inspires a lot of copycats, because the attack does not require much time or technical skill and can yield lucrative access to bank account logins.

Twitter CEO Jack Dorsey was famously SIM swapped in 2019. Both AT&T and T-Mobile were embroiled in lawsuits that accused them of failing to protect their customers from this kind of attack. One cryptocurrency investor even sued a high school senior for allegedly stealing $23.8 million of cryptocurrency from him via SIM swap.

How does SIM swapping work?

There are a few different ways hackers can do this. A hacker can call up your cell phone carrier, pretend to be you, say that they got a new phone and then ask the carrier to switch the number to their phone. Or they can call up a different carrier, say they want to switch from Verizon to AT&T, for example, and get the number put on a new AT&T phone.

Another method involves malware installed on a carrier’s network, and then using the malware to control employee accounts, in order to just force the changes through that they want. They can also bribe, extort or blackmail employees at phone carriers in order to get access to the numbers they want.

How can people protect themselves?

There is very little people can do to protect themselves against this at an individual level. The problem stems from the way that people identify themselves over the internet. To a website, you as a person are nothing more than your phone. If someone else is able to steal your phone number, then they’re effectively you.

In fact, there have been situations where the fraudster was better at proving their stolen digital identity than the victim was at verifying themself.

To fix the problem requires a starting assumption that any kind of two-factor authentication that involves using a phone number for verification is suspect. Using a YubiKey, a physical key where you have to press a button while logging in, is safe, as is using an authenticator app like Authy that generates a number you put in, or a barcode to scan, while logging in.

How is the FCC addressing the problem?

The FCC’s proposed regulations will require phone carriers to authenticate people’s identity before transferring their number to a new phone. People can verify their identity by offering a pre-established password or getting a one-time password sent via text message, email or phone call.

Carriers will also have to immediately notify people if a SIM change request is made on their account. Right now, that change occurs instantaneously, with zero warning and no opportunity for people to protest or reverse the change.

Providers will not be able to SIM swap phones if customers cannot authenticate their accounts via these methods. Phone carriers will also have to give customers a ‘port-freeze’ option on their accounts that does not allow for any SIM swapping.


1 - https://www.popsci.com/technology/sim-swapping-fcc-regulations/

Subscriber content

Read the full article

Full access to ID & Secure Document News articles, newsletters and archives.

Sign Up to ID & Secure Document News Weekly

Receive regular updates on the latest news and articles posted on our website.

Verity

Verity

AI search assistant

Ask me anything from the ID & Secure Document News archives.

free questions remaining