The Federal Communications Commission proposed rules Thursday aimed at curbing the threat of attacks in which cybercriminals use a victim’s personal information to steal their phone number and swap it into a scammer-controlled device, a technique known as “SIM-swapping” or “port-out fraud.”
Specifically, the proposed rule would amend the rules regarding porting numbers from one account or phone to another to include a requirement that carriers “adopt secure methods of authenticating a customer.” The draft rule also proposes that careers be required to immediately notify customers of any request to swap or port-out their number.
The FCC did not publicly release the rules by press time Thursday. The agency declined to comment on how the rule will define “secure methods.”
SIM-swapping can give cybercriminals more than access to victims’ messages or calls. For instance, in June, a Pennsylvania woman sued T-Mobile after hackers allegedly tricked the carrier into providing her phone number and then used it to empty roughly $20,000 worth of cryptocurrency from her Coinbase account. Even organized crime groups have taken to the scamming practice.
“At the Federal Communications Commission, we’ve seen complaints from consumers who have suffered significant distress, inconvenience, and financial harm because of SIM swapping,” FCC Chairwoman Jessica Rosenworcel said in a statement. “To make matters worse, recent carrier data breaches that have made headlines may have exposed the very kind of customer information that could make it easier to pull off these kinds of attacks.”
In light of the growing number of SIM-swapping complaints, a group of bipartisan Senators wrote a letter to the FCC last year urging it to do more to address the problem, citing it as a matter of “national security.”
While security experts have long criticized carriers for not doing enough to safeguard customers, it’s not yet clear how far the new rules will go in helping victims.
“Great to see anti SIM-swapping rules proposed,” Rachel Tobac wrote on Twitter. “However, [organizations] must be given direction about secure methods of verifying identity in support — we typically see knowledge-based authentication (easy to bypass, find, solicit, etc). [Organizations] must move to [multi-factor authentication] instead to verify identity [first.]”