Fed Instructs Telcos to Protect Consumers from SIM Swapping

The US Federal Communications Commission has issued a new order instructing telecommunications providers to take measures against SIM swap and port-out fraud attacks.

According to a Bitdefender study, financial fraud generates the highest level of anxiety, with 41% of online users concerned that scammers will eventually find ways to defraud them.

These fears are justified, with SIM swapping leading to some of the costliest cyber incidents for regular netizens – including life’s savings for some.

This criminal practice isn’t new, and it shows no signs of stopping. But the Federal Communications Commission says it’s high time carriers did something about it.

According to Commissioner Geoffrey Starks, consumers “should be able to go about their day without fearing that someone, somewhere might take control of their phone without a single warning sign.”

Starks and his fellow commissioners want wireless operators to take steps to thwart the practice.

“Bad actors are taking advantage of the services that let you keep your old number when you change phones or providers, leveraging identity authentication protocols and underdeveloped fraud response systems to, essentially, steal your phone and your account – without ever gaining physical control of it,” the commissioner says in a letter to carriers.

“These scams – SIM swap and port-out fraud – don’t just put wireless account access and details at risk,” Starks continues. “Because we so frequently use our phone numbers for two-factor authentication, a bad actor who takes control of a phone can also take control of financial accounts, social media accounts, the list goes on.”

SIM swapping gives criminals access to victims' bank accounts, crypto-currency accounts, and sensitive information. Also known as SIM splitting or SIM jacking, this type of account takeover targets SMS-based two-factor authentication (2FA), where the attacker intercepts the victim’s multi-factor verification codes to take over an account.

The FCC stresses that “consumers must be able to count on secure verification procedures and reliable privacy guarantees from their wireless providers.”

The new order updates the Commission’s existing Customer Proprietary Network Information (CPNI) and Local Number Portability (LNP) rules to protect against SIM swap and port-out fraud and requires wireless providers to “adopt secure authentication methods and to immediately notify customers of SIM change or port-out requests before they are processed, among other things,” the FCC says.

These are baseline requirements, not prescriptive rules, and the FCC understands that providers need some flexibility to adopt and adapt their security methods in a rapidly evolving threat landscape, Starks notes.

To learn more about this particular threat, check out our comprehensive guide: How SIM Swapping Attacks Work and How to Protect Yourself.

Consider using a security solution on your mobile device to limit hackers’ chances of socially engineering you, or to infect your device with data-stealing malware. Learn more at https://www.bitdefender.com/solutions/.