The FCC is looking to slow down SIM swapping with new authorization requirements for wireless service providers. The new FCC rules will force providers to update their procedures for transferring a customer’s number to a new device, and will also require them to notify customers when a swap or port-out request is made.
The move essentially forces a new set of procedures and checks on the customer service employees that are targeted by the criminal hackers that engage in SIM swapping. Security experts note that the requirements for both the new authentication systems and the notification format and timing have both been left very vague, however, raising questions as to how effective the new FCC rules will ultimately be.
FCC rules take aim at SIM swappers, but leave methods up to telcos
The changes have been made to two FCC rules: Customer Proprietary Network Information (CPNI) and Local Number Portability. Wireless carriers will have to adopt secure methods of authenticating a customer before porting a number, but the actual details of this are left very vague. The FCC has issued a “Further Notice of Proposed Rulemaking” to seek comment on harmonizing government efforts to stop SIM swapping and merge with existing CPNI rules, suggesting that there may be more developments in the months to come, but for now it seems that carriers have wide latitude to determine for themselves what is a “secure authentication method.”
One immediate and clear change in the new FCC rules is that carriers will now have to notify customers whenever a SIM swapping attempt takes place. However, there is again a lack of specifics on exactly what form this notification needs to take.
The notice indicates that the new FCC rules were motivated by “numerous” consumer complaints about SIM swapping and some of the larger telco data breaches of late, such as the T-Mobile breach of 2020 in which millions of customer records were stolen. The agency also cites a 2022 Princeton University study in which researchers purchased 10 prepaid accounts with each of the country’s five major wireless carriers and found that unauthorized SIM swaps by phone were generally easy to pull off, with all of the carriers found to authenticate with just one piece of a wide range of personal information (even if the caller had failed previous challenges). Additionally, during 9 of the 50 attempts a live customer service agent either failed to authenticate entirely or leaked personal information that could then be used to pass a challenge.
Security researchers have expressed skepticism about the new FCC rules given that no financial penalties for telcos that are found negligent in their authentication security have been proposed, and that at least one commissioner suggested that some existing telco systems were adequate and should be recognized. Nearly all of the carriers offer 2FA via an SMS message, something that is widely considered to not be adequate to stop SIM swapping, but beyond that they vary greatly in higher security options (such as requiring a login to an online customer service portal or visiting a retail location in-person with valid ID).
SIM swapping fueled by low-level customer support deficiencies
SIM swapping has become a primary method of gaining initial entry into company networks, and groups like Lapsus$ and Scattered Spider are sometimes portrayed as wizards in this area. While they definitely have advanced skills, they are also walking through giant security holes created by the telcos in the first place.
Among the single source of personal information that some of the carriers accept for SIM swapping is information about a recent prepaid refill of the account. However, it is possible to simply purchase a refill card and apply it to someone else’s phone number without any authentication. Hackers can then use that refill information for authentication. Another readily exploitable authentication method is information about recent outgoing calls to particular numbers. Hackers might already know who the target has called recently due to regular patterns or social media posts, or might find a way to trick them into calling numbers that they control. Many carriers also often allow authentication via just one or two pieces of the sort of personal information that constantly flows to the dark web from data breaches at other companies; in T-Mobile’s case, they have lost a lot of this information themselves in recent years.
And all of this is assuming that a customer service rep actually bothers to properly authenticate SIM swapping requests, which the Princeton study backing the new FCC rules found one should expect to not happen around once or twice out of every 10 attempts. This also assumes that the customer service reps are not compromised. In 2021, the DOJ convicted a former employee of an unnamed carrier of accepting bribes of up to $500 to perform SIM swaps for criminal outfits.
In 2022 the FBI recorded a little over 2,000 SIM swapping complaints, estimating about $72 million in total losses. Numbers began to spike in 2021; in the years prior these attacks accounted for only around 100 complaints per year and several million dollars in total losses at most.
Krishna Vishnubhotla, Vice President of Product Strategy at Zimperium, notes that the new FCC rules must consider how much personal data people now store on their phones and how much of a single gateway of access they are to various other accounts: “Mobile devices have become integral to how we authenticate ourselves with almost any service today, so these issues are critical to address. The new rules place more emphasis on authentication and notification. While these represent steps in the right direction, they raise key questions and concerns. New rules require carriers to balance consumer privacy with the amount of personal information they collect for authentication and authorization. Users already provide a lot of data when signing up, so the question is what and how much more carriers will collect. As carriers store more data, ransomware and threat actors will become more interested in them. Let’s just say they do find the perfect balance; then you have the problem of keeping that data safe when their mobile apps access it.”
Mobile malware can already steal account credentials and PII on the device while the end user is using apps. They already have capabilities like overlay screens, screen sharing, keylogging, and intercepting one-time passwords. All carriers have mobile apps that allow customers to manage their accounts and subscriptions. So, no matter how much more information is collected and factored into authentication, it will always be prone to mobile malware. There will have to be some guidance that takes mobile apps and mobile devices into consideration,” added Vishnubhotla.