More than a year after lawmakers requested such action to protect consumer data and national security, the commission’s move could help to stop hackers undermining multifactor authentication.
The Federal Communications Commission unanimously agreed to embark on a rulemaking that would require mobile network companies to verify the identity of consumers requesting changes to their accounts—an effort to stem subscriber-identity-module—or SIM—card fraud.
During a commission meeting Thursday, acting FCC Chairwoman Jessica Rosenworcel explained how the hack undermines multifactor authentication, a bedrock element of basic cybersecurity hygiene that has become even more important in the wake of major recent breaches involving credential theft.
“A fraudster calls up your wireless provider and convinces the customer service representative that they are you and need your phone number switched to a new SIM card that they control. The cyber crooks don't need your phone to do this, they simply need to convince your carrier to make a change to your account,” she said. “And when they do, they can use your phone number to divert your incoming messages and easily complete the kind of two-factor authentication checks that financial institutions and social media companies use. That means they can take over your email and they can drain your bank accounts.”
A January 2020 letter lawmakers sent to then-FCC Chairman Ajit Pai warned the damage from such “SIM swap” attacks could be a lot worse than that too, and urged the commission to take action on national security grounds.
“If a cyber criminal or foreign government uses a SIM swap to hack into the email account of a local public safety official, they could then leverage that access to issue alerts using the federal alert and warning system operated by the Federal Emergency Management System,” reads the letter led by Sen. Ron Wyden, D-Ore. “Countless other government websites used by millions of Americans either allow password resets via email or support two-factor authentication via SMS, which can both be exploited by hackers using SIM swaps.”
According to a Princeton University study Rosenworcel cited, four out of five SIM-swap fraud attempts are successful. And news of a massive breach of consumer data at T-Mobile has heightened the threat.
“To make matters worse, recent carrier data breaches that have made headlines may have exposed the very kind of customer information that could make it a whole lot easier to pull off these kinds of attacks,” Rosenworcel said.
According to the FCC, the commission proposes amending the Customer Proprietary Network Information and Local Number Portability rules to require carriers’ secure authentication of a customer before changing their number to a new device and to immediately notify customers whenever a SIM change is requested on their accounts.
The FCC will seek comment for 30 days and consider whether the rule should be accompanied by audits for enforcement and apply to both electronic and physical SIM cards, officials said.