FCC Finally Gets Off Its Ass To Combat SIM Hijacking
from the better-late-than-never dept
So for years we’ve talked about the growing threat of SIM hijacking, which involves an attacker covertly porting out your phone number from right underneath your nose (sometimes with the help of bribed or conned wireless carrier employees). Once they have your phone identity, they have access to most of your personal accounts secured by two-factor SMS authentication, opening the door to the theft of social media accounts or the draining of your cryptocurrency account. If you’re really unlucky, the hackers will harrass the hell out of you in a bid to extort you even further.
It’s a huge mess, and the both the criminal complaints — and lawsuits against wireless carriers for not doing more to protect their users — have been piling up for several years. For several years, Senators like Ron Wyden have been sending letters to the FCC asking the nation’s top telecom regulator to, you know, do something. After years of inaction the agency appears to have gotten the message, announcing a new plan to at least consider some new rules to make SIM hijacking more difficult.
Most of the proposal involves nudging wireless carriers to do things they should have done long ago. Such as updating FCC Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require wireless carriers adopt secure methods of confirming the customer?s identity before porting out a customer?s phone number to a new device or carrier (duh). As well as requiring that wireless carriers immediately notify you when somebody tries to port out your phone number without your permission (double duh):
“The FCC?s proposal would also require that wireless providers immediately notify customers whenever a SIM change or port request is made on customers? accounts. That this wasn?t yet industry standard practice?or covered by FCC rules?speaks to the sluggishness with which the government and industry have responded to the problem.”
Again, this lack of action until now was fairly reflective of the Ajit Pai school of thought on telecom policy, which basically involved coddling major telecom companies in the misguided belief that this regulatory apathy somehow results in free market utopia. But as we’ve established for years, while deregulation can help improve functional, competitive, healthy markets, that’s not what U.S. telecom is. It’s a bunch of government-coddled regional monopolies and duopolies, that, thanks to increased consolidation, face increasingly less meaningful competition. When you remove both competition (and pro-competitive policies) and regulatory oversight, you don’t get a miraculous free market, you usually get… a bigger, fatter Comcast.
Note these aren’t actual rules yet, it’s just the beginning of new rules. The Rosenworcel FCC is basically doing the bare minimum here to start the ball rolling, launching a Notice of Proposed Rulemaking (NPRM) to begin discussing the path forward. That this wasn’t even contemplated until now speaks volumes as to the state of U.S. telecom regulatory oversight. Folks have been having vast fortunes stolen from under their noses for several years (seriously read this story) because wireless carriers failed to secure their own services, and the response from the U.S. government until now had been a giant, collective yawn.