The Federal Communications Commission (“FCC”) announced its tentative agenda for its November 15 meeting, which includes the proposed Order to protect consumers from two increasingly common cybercriminal techniques: SIM swapping and number porting.
SIM Swapping & Number Porting
We first discussed these issues in our August 9 blog. SIM swapping is a technique where cybercriminals steal consumer phone numbers and swap the numbers into criminal-controlled devices. This technique allows criminals to pose as unsuspecting consumers and bypass SMS-based multi-factor authentication (“MFA”) tools (for example, the text message sent by a bank to validate your login attempt). Criminals convince consumer wireless providers to transfer mobile service from the consumer’s device to the criminal’s device. The proposed rules also address a similar technique known as port-out fraud – this technique is effectuated when criminals pose as a consumer to open wireless carrier accounts with a different provider, transferring the victim’s phone number to the new account controlled by the scammer. This technique can also allow criminals to bypass text-based MFA.
Scale of the Issue
The FCC has reported increasing use of SIM swapping and port-out techniques by cybercriminals. Between the FCC and Federal Trade Commission (“FTC”), consumer complaints have risen each year – the FCC received 300 complaints in 2020, 400 in 2021, and 500 in 2022. The FTC has also received consumer complaints about inconsistent or difficult processes to pursue claims with their wireless provider.
Strengthening the Commission’s Privacy Rules
In its proposed rules, the FCC lays out specific measures to protect customers from SIM swapping activities. If adopted, these rules would broadly require wireless providers to:
- Confirm customer identity prior to changing SIM;
- Immediately notify customers of attempted authentication requests;
- Immediately notify customers of SIM change requests;
- Offer options to freeze or lock accounts to stop SIM changes;
- Record and track SIM change requests and authentication measures, and to retain records for at least three years; and
- Establish safeguards and processes to prevent employees from accessing CPNI until a customer has been authenticated.
Strengthening the Commission’s Number Porting Rules
The FCC also lays out specific measures to protect customers from port-out fraud. If adopted, these rules would broadly require wireless providers to:
- Confirm customer identity prior to changing a SIM;
- Immediately notify customers of port-out requests; and
- Offer options to freeze or lock accounts to stop port-outs.
Notably, the FCC declined to codify port validation fields or require providers to implement customer-initiated passcode fields.
Presuming the FCC adopts these new rules, the FCC will have taken a significant step towards closing a persistent tool used by cyber criminals to sidestep MFA. While mobile carriers should be able to substantially reduce this threat, companies that rely on text-based MFA need to remain aware of the risks of SIM-swapping and port-out fraud. Earlier this year, the FTC suggested that companies should consider using the “strongest forms” of MFA available (such as physical security keys), for particularly secure systems. While the FTC’s guidance did not suggest that text-based MFA should always be avoided, it seems to believe that it is less secure and thus, companies should carefully evaluate their use of text-based MFA as a secure and reliable authentication tool.
Update (11/15/2023): Today, the FCC voted unanimously to adopt new rules to protect against SIM swapping and port-out fraud. We’ll post a link to the as-adopted rules when they become available.
