Can the FCC Defeat SIM Swap Attacks?

On September 30, 2021, the US Federal Communications Commission issued a rulemaking notice for proposed new rules to address SIM swapping and number porting fraud.

The Notice of Proposed Rulemaking proposes various actions to proactively address the risk of follow-on attacks using stolen data to reduce the risk of additional harm to consumers from recent data breaches. It proposes to amend the Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require carriers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or carrier. It also proposes requiring providers to immediately notify customers whenever a SIM change or port request is made on customers’ accounts.

The full notice has an interesting history of prior FCC actions and more details on the specifics of requiring more secure methods of authenticating customers before a SIM swap or number port out.

For SIM swaps, for example, the FCC is considering requiring mobile companies to affirmatively reach out to a customer using a one-time passcode sent via text message, email, or voice call to authenticate the SIM swap. This would likely reduce, though not prevent altogether, SIM swap fraud.

It would also, however, likely create a customer service nightmare for mobile carriers. After all, there is already a significant issue where people find carriers are unwilling to fulfill their legitimate number porting requests. There will be any number of reasons a customer might make a legitimate SIM change or number port out where they are unable to comply with the secure authentication provision.

The real problem, largely unmentioned in the FCC’s notice, is that the telephone number has become the new Social Security Number. It is routinely used as a method of authentication for a wide swath of services, even though the flaws in doing so are numerous and obvious at this point.

Making it harder to steal someone’s phone number will help somewhat. Still, given that hijacking a person’s phone number can potentially allow criminals to hijack that person’s entire life, the incentives to that sort of fraud are going to be immense as long as that remains the status quo.

FCC Rules In Favor of Buffy and Against PTC Complaint

Parents Television Council — the group last seen paying WWE $3.5 million after the PTC lied about the WWE’s role in a number of child deaths — filed a complaint about an episode of Buffy: The Vampire Slayer. The episode in question featured simulated sex between Buffy and Spike, which the PTC claimed was indecent. The FCC’s reply is below,

Federal Communications Commission
445 12th Street, S.W.
Washington, D. C. 20554

This is an unofficial announcement of Commission action. Release of the full text of a Commission order constitutes official action.

See MCI v. FCC. 515 F 2d 385 (D.C. Circ 1974).

FCC DENIES COMPLAINTS FILED AGAINST NOVEMBER 20, 2001, EPISODE OF
“BUFFY THE VAMPIRE SLAYER”

FOR IMMEDIATE RELEASE NEWS MEDIA CONTACT:

Janice Wise: (202) 418-8165

August 9, 2004

Washington, D.C.: Today, the Federal Communications Commission issued a Memorandum
Opinion and Order denying a complaint by Parents Television Council alleging that various
television station licensees airing UPN programming, including the licensee of Station
WDCA(TV), Washington, DC, aired indecent material during the “Buffy the Vampire Slayer”
program on November 20, 2001. The complainants alleged that the “Buffy the Vampire Slayer”
episode at issue included a scene in which the characters Buffy and Spike engage in sexual
intercourse.

The Commission concluded that the “Buffy the Vampire Slayer” program at issue, as described
by the complainants, was not sufficiently explicit or graphic to be indecent. The Commission
noted that there was no nudity, and there was no evidence that the activity depicted was dwelled
upon, or was used to pander, titillate or shock the audience.

By the Commission: Chairman Powell, Commissioners Abernathy, Copps, Martin and
Adelstein, FCC 04-196, August 9, 2004.

Enforcement Bureau Contacts: Janice Wise or Elizabeth Valinoti (202) 418-7450

It’s Not *Free* Speech, But It’s Still Pretty Cool

Via BoingBoing.Net comes a link to an excellent FM radio broadcaster on a PC card. The PC Max comes in ISA and PCI flavors and can accept an external 5W amplifier and antenna, so you could just broadcast your MP3 collection throughout your house, or reach out and touch your nearby neighbors (and get that lovely knock on the door from the FCC).

The geek in me says I need one of these.

Clay Shirky on the Potential Revolution at FCC

Clay Shirky surprised me with his excellent look at Michael Powell, Bush’s candidate to run the Federal Communications Commission. Powell is Colin Powell’s son and, aside from Gail Norton, the closest thing to a libertarian in Bush’s administration.

Shirky points out that Powell’s biggest opponents are likely to be Republicans who have a vested interest in the status quo at the FCC. Shirky doesn’t mention it, but it was Republicans in Congress, for example, who pushed through a bill essentially overturning the FCC’s decision to approve low power radio.

Add to that the faith that Democrat lawmakers have in state-run air waves, and Powell will likely become a whipping boy for Congressional hearings once he announces that the First Amendment actually applies to broadcast media.

The Internet has demonstrated the sort of diversity that communication systems can have when they are made widely available. If Powell succeeds, he could make radio relevant again. If not, radio will continue its long downward spiral into mediocrity.

Source:

Disappearing Act. Clay Shirky, FeedMag.Com, February 9, 2001.

Bill Gates is No Free Market Hero

A lot of libertarians used Microsoft’s antitrust trial to highlight the numerous problems with antitrust law. Personally, I’d like to see all antitrust legislation repealed (or found unconstitutional by the Supreme Court). But some libertarians went further and almost created a cult of Bill Gates in which the billionaire was some sort of hero, even though Gates had previously supported left liberal political efforts in support of gun control and racial discrimination.

Now Gates is showing his true colors in calling for the Federal Communications Commission to investigate alleged monopolistic practices by AOL with its instant messaging software. AOL prohibits people using other instant messaging clients from communicating directly with people who use AOL’s instant messaging client (which is, by far, the most popular).

Forget for the moment that the FCC simply doesn’t have the authority to do this (although it seems to think it does), not to mention that AOL’s exclusion is child’s play compared to some of the stuff that Microsoft has pulled. If I were Steve Case I’d offer to completely open AIM’s protocols in exchange for Microsoft making Windows API’s open.

The answer to AOL’s exclusionary practice is the same in this case as it was in Microsoft’s case — the market will route around such monopolistic practices. Already there are a number of different technologies and projects that will make it possible to bypass AOL’s closed system or render it irrelevant altogether. As even AOL seems to realize, the days of AIM’s exclusivity are numbered.

The FCC should stay out of the instant messaging controversy and Bill Gates should at least pretend to have a consistent position on antitrust law. And some libertarians might want to think twice about their hero worship of Gates.