FCC Targets SIM Swapping and Number Port-Out Scams
October 7, 2021 | by Andrew Regitsky
On September 30, 2021, the FCC released a Notice of Proposed Rulemaking (Notice) in Docket 21-341 in order to stop the growing cellphone problems of SIM card swapping and port-out scams. Industry comments are due 30 days after the Notice appears in the Federal Register.
Here are how these scams work:
Subscriber Identity Module (SIM) Swapping - A bad actor convinces a victim’s wireless carrier to transfer the victim’s service from the victim’s cell phone to a cell phone in the bad actor’s possession. This is called “SIM swapping” because it involves an account being fraudulently transferred (or swapped) from a device associated with one SIM to a device associated with a different SIM.
Port-Out Fraud - A bad actor, posing as the victim, opens an account with a carrier other than the victim’s current carrier. The bad actor then arranges for the victim’s phone number to be transferred to (or “ported out”) to the account with the new carrier controlled by the bad actor.
Once a SIM Swap or Port-Out scam has been completed, the predator can quickly gain access to many more of the victim’s accounts with disastrous results.
Because text messages are often used by banks, businesses, and payment services to verify a customer’s identity when a customer requests updates to accounts, intercepting a text message used to authenticate a customer can allow a bad actor to reset a customer’s password and take over the customer’s financial, social media, and other accounts. Having taken over these accounts, the bad actor can then change login credentials, drain bank accounts, and, increasingly, steal cryptocurrency and sell or try to ransom social media accounts.4 Loss of service on a customer’s device—the phone going dark or only allowing 911 calls—is typically the first sign of a SIM swapping or port-out scam. There are also media reports that, in some instances, a hacker was able to perpetrate a “partial porting fraud” by changing the carrier for delivery of SMS messages without changing the primary carrier for purposes of voice, data, and accounting (Notice at para. 7).
The FCC has received hundreds of complaints about these types of fraud. Therefore, in the Notice, it proposes to modify its section 222 Customer Proprietary Network Information (CPNI) and section 251(b)(2) Local Number Portability (LNP) rules to require carriers to adopt secure methods of authenticating a customer before redirecting that customer’s phone number to a new device or carrier. It also proposes requiring providers to immediately notify customers whenever a SIM change or port request is made on their accounts.
Regarding section 222, the Commission proposes that that the use of either (1) a pre-established password; a one-time passcode sent via text message to the account phone number or (2) a pre-registered backup number; a one-time passcode sent via e-mail to the e-mail address associated with the account; or (3) a passcode sent using a voice call to the account phone number or a preregistered back-up telephone number would each constitute a secure method of authenticating a customer prior to a SIM change.
As an alternative, the agency asks whether it should instead require carriers to comply with the NIST Digital Identity Guidelines, which are updated in response to changes in technology. The NIST Digital Identity Guidelines are a set of guidelines that provide technical requirements for federal agencies “implementing digital identity services,” and is focused on authenticating individuals.
The Commission asks for comments on the appropriate implementation period for wireless carriers to implement any changes to their customer authentication processes.
Additionally, the FCC proposes to require wireless providers to notify customers immediately of any requests for SIM changes and requiring up to a 24-hour delay for SIM swap requests while notifying the customer via text message, e-mail through the carrier’s app, or other push notification and requesting verification of the request.
To stop Port-Out fraud, the Commission proposes to strengthen its LNP rules by requiring wireless carriers to provide notification to customers through text message or other push notification to the customer’s device whenever a port-out request is made, to ensure that customers respond in the event of an unauthorized port request.
The agency asks whether a port request notification requirement is sufficient to protect customers from Port-Out fraud, or whether it should also require customer verification or acknowledgement of the text message or push notification through a simple Yes/No response mechanism.
The FCC asks two interesting questions: (1) Should it require all wireless providers to use the same porting authentication processes? And (2) Should all providers offer customers a port-freeze option?
Finally, the FCC asks whether the Local Number Portability Administrator (LNPA) can play a role in thwarting Port-Out fraud by serving as an authorized neutral third-party to verify customer identification prior to authorizing a port-out request.
As someone with a new Galaxy S20 5G phone, I am very interested in the outcome of this proceeding and suggest all cellphone providers stay involved.