FCC makes providers tackle SIM swapping

The Federal Communications Commission (FCC) now requires wireless providers to notify customers before they grant any requests for a SIM-card change. The order, announced on Nov. 15, puts greater responsibility on comms companies to curb a social-engineering impersonation tactic called SIM swapping, which led to over $72 million in losses in 2022, according to the FBI.

“Consumers must be able to count on secure verification procedures and reliable privacy guarantees from their wireless providers. And they should be able to go about their day without fearing that someone, somewhere, might take control of their phone without a single warning sign,” said Commissioner Geoffrey Starks in a statement following the announcement.

A SIM swap occurs when a bad actor convinces a carrier to assign the victim’s phone number over to a device in the attacker’s possession. The scammer may present verbal identification or claim that their phone and SIM card were lost and destroyed.

And the tactic has worked. The FBI’s Internet Crime Report counted 2,026 total victims of SIM swaps in 2022. Between January 2018 and December 2020, the agency received only 320 complaints and total adjusted losses of “approximately $12 million,” according to the agency.

Defenses against SIM swapping have been largely the responsibility of the end-user: Use unique passwords, don’t post sensitive information online, save a carrier’s number as a contact.

Sue Bergamo, advisory CISO at the third-party risk-management provider Panorays, was “thrilled” with the move, which also puts responsibility on vendors.

“I believe that the SEC is actually doing the consumer a favor by requesting that cellular carriers verify that the consumer is exactly who they are before they make any changes to the account or to that SIM card,” Bergamo told IT Brew.

Others are more pessimistic. “There’s no real guidance on what these secure authentication methods should be or what constitutes immediate notification,” wrote Ars Technica’s senior security editor, Dan Goodin.

Starks in his statement defended the baseline requirements over prescriptive rules, writing: “Many providers may already have certain protective measures in place that may fulfill some of these new requirements, and second, that the threat landscape is rapidly evolving, and providers need flexibility to adopt and adapt their security methods accordingly.”

Bergamo hopes to see more specific guidance from the FCC, regarding how to involve the consumer in the notification. “Because right now, each one is going to do it in their own way, shape, or form,” Bergamo said.