Can the FCC Defeat SIM Swap Attacks?

On September 30, 2021, the US Federal Communications Commission issued a rulemaking notice for proposed new rules to address SIM swapping and number porting fraud.

The Notice of Proposed Rulemaking proposes various actions to proactively address the risk of follow-on attacks using stolen data to reduce the risk of additional harm to consumers from recent data breaches. It proposes to amend the Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require carriers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or carrier. It also proposes requiring providers to immediately notify customers whenever a SIM change or port request is made on customers’ accounts.

The full notice has an interesting history of prior FCC actions and more details on the specifics of requiring more secure methods of authenticating customers before a SIM swap or number port out.

For SIM swaps, for example, the FCC is considering requiring mobile companies to affirmatively reach out to a customer using a one-time passcode sent via text message, email, or voice call to authenticate the SIM swap. This would likely reduce, though not prevent altogether, SIM swap fraud.

It would also, however, likely create a customer service nightmare for mobile carriers. After all, there is already a significant issue where people find carriers are unwilling to fulfill their legitimate number porting requests. There will be any number of reasons a customer might make a legitimate SIM change or number port out where they are unable to comply with the secure authentication provision.

The real problem, largely unmentioned in the FCC’s notice, is that the telephone number has become the new Social Security Number. It is routinely used as a method of authentication for a wide swath of services, even though the flaws in doing so are numerous and obvious at this point.

Making it harder to steal someone’s phone number will help somewhat. Still, given that hijacking a person’s phone number can potentially allow criminals to hijack that person’s entire life, the incentives to that sort of fraud are going to be immense as long as that remains the status quo.