New guidelines

FCC Eyes New Rules for Wireless Carriers to Prevent SIM Swap Fraud

Members of the Federal Communications Commission voiced their unanimous support for the introduction of a new rule that would require mobile network companies to verify the identity of consumers requesting changes to their accounts. During a meeting Thursday, the commissioners backed the proposed guidance as a means to counter SIM card fraud.

The commission is keen on proposing an amendment to the Customer Proprietary Network Information and Local Number Portability rules to require carriers to authenticate a customer before changing their number to a new device and to immediately notify customers whenever a SIM change is requested on their accounts, Nextgov reported Wednesday.

After the meeting, acting FCC Chairwoman Jessica Rosenworcel explained to reporters how SIM card fraud undermines multifactor authentication, a bedrock element of basic cybersecurity hygiene that has become even more important in the wake of major recent breaches involving credential theft.

This hack can be perpetrated by simply calling up a subscriber’s wireless provider and convincing the customer service representative to switch over the victim’s phone number to a new SIM card. Cyber criminals do not need a subscriber’s phone to do this. They simply need to convince the carrier to make a change to the victim’s account, Rosenworcel said.

The FCC’s chair warned that once criminals manage to hack a SIM card, they can use the subscriber’s phone number to divert incoming messages and easily complete two-factor authentication checks. This enables the opening of the victim’s emails and even the draining of their bank accounts, she said.

Exacerbating the situation are recent carrier data breaches that may have exposed customer information that could make it easier for cyber criminals to stage such attacks, Rosenworcel said. She cited a recent Princeton University study indicating that up to 80 percent of SIM-swap fraud attempts are successful.