FCC Reveals Some Vague Rules That Pretend To Tackle SIM Hijacking Fraud
from the words-are-but-wind dept
For years we’ve talked about the growing threat of SIM hijacking, which involves a criminal covertly porting out your phone number from right underneath your nose (quite often with the help of bribed or conned wireless carrier employees).
Once they have your phone identity, they have access to most of your personal accounts secured by two-factor SMS authentication, opening the door to the theft of social media accounts or the draining of your cryptocurrency account. If you’re really unlucky, the hackers will harass the hell out of you in a bid to extort you even further.
It’s a huge mess, and the both the criminal complaints — and lawsuits against wireless carriers for not doing more to protect their users — have been piling up for several years. For just as long, Senators like Ron Wyden have been sending letters to the FCC asking the nation’s top telecom regulator to, you know, do its job.
After years of inaction the agency appears to have gotten the message, announcing in 2021 a new plan to consider some new rules to make SIM hijacking more difficult. Several years later and the FCC finally only just voted to approve new rules. Since a lot of SIM hijacking occurs with help from wireless employees getting bribed by criminals, the rules primarily focus on trying to ensure that consumers are consistently updated:
The rules “require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. The new rules require wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts and take additional steps to protect customers from SIM swap and port-out fraud.”
But as with so much the FCC does, the rules are rather vague in a bid to try and avoid upsetting politically powerful wireless carriers. Like the FCC’s “broadband nutrition labels” (which urge ISPs to be transparent in how they’re ripping you off, but do nothing about the fact that ISPs routinely rip you off), the focus is transparency. Like the FCC’s digital discrimination order, there’s no punishment — or even overt criticism — of companies that have routinely failed to protect private consumer information.
As a result, industry watchers aren’t really sure they’ll actually do all that much, given they’re rather vague on what “secure authentication methods” carriers are supposed to adopt, or what penalties carriers will see if they don’t clean up their security practices. This all assumes that the FCC will actually enforce the rules in the first place, which, as we’ve seen with robocall, privacy, and broadband competition issues, is a fairly major and unreliable assumption.
Filed Under: fcc, fraud, identity theft, number porting, sim hijacking
Comments on “FCC Reveals Some Vague Rules That Pretend To Tackle SIM Hijacking Fraud”
government work....
Ron Wyden have been sending letters to the FCC asking the nation’s top telecom regulator to, you know, do its job.
that would be like asking the blue lies mafia to stop beating innocent victims!
or telling politicians that we have this little thing called a constitution. and that they work for WE THE PEOPLE! not big corps.
Re:
… Congress can’t even do its own job, much less supervise the FCC clown-show that Congress itself invented and blindly supports
your beloved incompetent CONGRESS persons are the root rot — FCC INCOMPETNCE stems directly from Capitol Hill
Re: Re:
You have not identified the root cause, look further.
Re: Re: Re:
root cause is an erroneous belief in the efficacy of political control of a society’s economic activity
Ponder that further, if you seek truth
Its just another instance of putting lipstick on a pig and expecting the problem to go away.
Anything that would really stop SIM hijacking, like requiring verification from the original SIM first or in-person identification, would be too inconvenient for customers and too expensive for the phone companies. Personally I’d like the FCC to say “Too bad, those are the rules.”. If worst comes to worst and someone has lost their SIM, can’t get to a store or doesn’t have ID, can’t access their account on-line to get a verification code, and don’t have an authenticator app or hardware key set up, they can do what we used to do and get a new phone number.
Yes, that causes a problem for anyone using SMS for 2FA, but that’s already a problem for them thanks to how easy it is to hijack SMS. Don’t do that, or have a second phone number (a cheap PAYG phone or a VoIP number) as a backup.
If you have accounts that you’ve abandoned, make sure to go and wipe the payment methods from them first so that someone can’t come along and abuse them later.
Re:
A related option would be for them to require that users be given the ability to lock their own accounts thusly.
A lot of people are not doing this by choice. Not every company offers a secure option for two-factor authentication, or makes 2FA optional at all. Nevermind that there’s often some backdoor way, usually e-mail, to reset the password and bypass all of that (there are services for which I’d never want the password to be resettable, let alone over an insecure protocol).
There are, of course, many possibilities for how to authenticate a change request. If the phone’s busted (and there’s no physical SIM to remove), maybe it has a serial number visible and associated with the account. Paperwork with secret reset keys could be provided upon opening the account (and, with public-key crypto, the provider wouldn’t even have a copy). Internet-based logins to associated accounts, if the password is still known (and it doesn’t require two-factor authentication via the inaccessible phone number). Chip-and-PIN from an associated payment card.
Re: Re:
What annoys me most about SMS-based 2FA is that it always sends a 6-digit TOTP code that you enter into a form. If they’ve got TOTP running already, they’ve got everything they need to use an authenticator app instead of SMS. Just provide the customer with the QR code and let them scan it in. Any company that insists on only using SMS at that point should be considered criminally negligent.
Re: Re: Re:
Well, only if it’s guarding something important. 2FA is something I don’t want or need for certain accounts, like if I’m signing up to a site just to subscribe to certain users/channels. It’d be great if such sites dropped the pretense that I’m logging into the fucking Pentagon.
Re: Re: Re:2
A lot of sites are probably only doing it as a pretense to collect phone numbers. Twitter was fined 150 million dollars for that.
Re: Re:
An even better way for password resets/changes is to (1) (strongly) encourage everyone to use a password manager and then (2) embrace the change-password well-known URI to force people to only change passwords and such that way. You may then have a single point of failure but a good password manager is good at enforcing secure defaults. If everyone used a password manager, password resets would pretty much become unnecessary.
Re: Re: Re: Sure
Now show me a password manager that works on all devices that you use. Not just those devices you own.
Re: Re: Re:2
KeePass. Works on my Linux, Android, Apple Stuff, Windows Stuff and there’s a plugin for NextCloud that I can use in a pinch.
Syncing with Nextcloud (to address a reply below) beans I have a copy on my laptop, tablet, phone, backup drive, and NextCloud.
This has saved my ass more times than I can easily count.
Re: Re: Re:
embrace the change-password well-known URI to force people to only change passwords and such that way
This doesn’t, and can’t, force anything at all. While it makes it easier for password managers to direct users to the correct password change location, that’s all it does.
Further standardization beyond that could allow password managers to also automatically step through the resulting change request workflow, but it still couldn’t feasibly “force” users to make use of that.
If everyone used a password manager, password resets would pretty much become unnecessary.
Password resets are most commonly required because the online service was breached and the password database stolen. The use of password managers does not address this at all.
Re: Re: Re:
“encourage everyone to use a password manager ”
eggs – single basket
Re: Re: Re:2
A tradeoff, like everything. Making passwords you can remember is risky because it incentives using shorter passwords, which are easier to brute force. A password manager also removes the incentive to use identical/similar passwords for multiple accounts.
If you don’t want all of your eggs in one basket, use two password managers. Alternatively or additionally, keep a few passwords out of your password manager(s). Write them down in a safe place.
Add 2FA, such as USB security keys.
Government love to BAN something if it causes any minor problems – why not ban SMS authentication?
FCC should mandate a break up of cellular service and voice/texting services, turning the latter into strictly ‘over the top’
number port would than become completely unnecessary(or at least be from VOIP provider to VOIP provider) and any SIM hijack would only gain a data only service.
this would also create a more competitive environment.
i am sure carriers would not like this though.
It is American Anarcho-Capitalist Supply Side Economics, The economy and congressional spending are geered toward the Supply of people in various fields of work, rather than the actual Demand for people in various fields of work, including America’s vast Surplus ofevil,insane, perverted, retarded criminals in the surveillance state enabled by the FBI and police that are guards for organized crime rings, and not law enforcement officers. in conjunction with a Swedish Strike by everyone in government, which entails working at a snails pace, giving people the run around, going to work and collecting pay and benefits but refusing to actually do their jobs, “mistakes”, “accidental” destruction of property, and just being all around jerks.
If any of this seems to cause anyone anxiety, panic, or depression, consider seeking mental help from the surplus of charlatan qucks that developed the Gitmo Torture Program, MKUltra, the BRAIN Initative, the Milgram Experiment, and sadistic experiments on the disabled, the elderly, promiscupus women, prisoners, veterans, and animals.
What hace you got to lose other than money and property and the possibility of being tortured, illegally enslaved, and have mind reading technology on you?