FCC Proposed Rulemaking to Fight SIM Swapping
The US Federal Communications Commission (FCC) is seeking feedback on its proposed rulemaking regarding SIM swapping and number port out fraud. Both these attacks can be used to take control of mobile phone numbers and with that access associated accounts. The draft rulemaking “proposes to amend the Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require carriers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or carrier. It also proposes requiring providers to immediately notify customers whenever a SIM change or port request is made on customers’ accounts.”
Good to see the FCC finally taking action on this longstanding problem. Last year, Princeton researchers showed how shoddy SIM swapping authorization and authentication processes were still in use by most carriers. Next maybe the FCC will address the ease of cell number spoofing.
Make sure that you’ve checked the security settings on your mobile account relating to SIM swapping. Some of the carriers have updated their controls, such as requiring an added PIN be created to authorize a legitimate swap. Even so, the wording can be tricky and should be read carefully. When setting up 2FA, select options other than SMS or a call to your mobile, and when those are the only choices the only option, they are still better than a reusable password.
This is a hard problem. Carriers want to resist the small number of fraudulent swaps while not inefficiently burdening the large number of legitimate (lost, stolen, broken or new phones) swaps. At a minimum carriers should confirm all swaps out-of-band. Not expensive, not even necessarily inconvenient.