FCC Finally Gets Off Its Ass To Combat SIM Hijacking

from the better-late-than-never dept

So for years we’ve talked about the growing threat of SIM hijacking, which involves an attacker covertly porting out your phone number from right underneath your nose (sometimes with the help of bribed or conned wireless carrier employees). Once they have your phone identity, they have access to most of your personal accounts secured by two-factor SMS authentication, opening the door to the theft of social media accounts or the draining of your cryptocurrency account. If you’re really unlucky, the hackers will harrass the hell out of you in a bid to extort you even further.

It’s a huge mess, and the both the criminal complaints — and lawsuits against wireless carriers for not doing more to protect their users — have been piling up for several years. For several years, Senators like Ron Wyden have been sending letters to the FCC asking the nation’s top telecom regulator to, you know, do something. After years of inaction the agency appears to have gotten the message, announcing a new plan to at least consider some new rules to make SIM hijacking more difficult.

Most of the proposal involves nudging wireless carriers to do things they should have done long ago. Such as updating FCC Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require wireless carriers adopt secure methods of confirming the customer’s identity before porting out a customer’s phone number to a new device or carrier (duh). As well as requiring that wireless carriers immediately notify you when somebody tries to port out your phone number without your permission (double duh):

“The FCC’s proposal would also require that wireless providers immediately notify customers whenever a SIM change or port request is made on customers’ accounts. That this wasn’t yet industry standard practice—or covered by FCC rules—speaks to the sluggishness with which the government and industry have responded to the problem.”

Again, this lack of action until now was fairly reflective of the Ajit Pai school of thought on telecom policy, which basically involved coddling major telecom companies in the misguided belief that this regulatory apathy somehow results in free market utopia. But as we’ve established for years, while deregulation can help improve functional, competitive, healthy markets, that’s not what U.S. telecom is. It’s a bunch of government-coddled regional monopolies and duopolies, that, thanks to increased consolidation, face increasingly less meaningful competition. When you remove both competition (and pro-competitive policies) and regulatory oversight, you don’t get a miraculous free market, you usually get… a bigger, fatter Comcast.

Note these aren’t actual rules yet, it’s just the beginning of new rules. The Rosenworcel FCC is basically doing the bare minimum here to start the ball rolling, launching a Notice of Proposed Rulemaking (NPRM) to begin discussing the path forward. That this wasn’t even contemplated until now speaks volumes as to the state of U.S. telecom regulatory oversight. Folks have been having vast fortunes stolen from under their noses for several years (seriously read this story) because wireless carriers failed to secure their own services, and the response from the U.S. government until now had been a giant, collective yawn.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FCC Finally Gets Off Its Ass To Combat SIM Hijacking”

Subscribe: RSS Leave a comment
17 Comments
kwesays:

Move Two Factor Authentication to Google Voice

Don’t use your mobile phone for 2FA to your most important web sites (bank, investment, email, …).
Create a new Google account and access it on a different browser than you normally use. I normally use Firefox, but I use Chrome for my Google accounts.
Setup Gmail and Google Voice and use that GV number for your 2FA phone.
Then you can use your laptop to access your bank and get your OTP six digit code.
Google Voice is accessible on all your devices. Depending on your mobile phone is too risky because you have no backup if you lose it. For the same reason I switched from Google Auth to Authy because I could more easily setup backup access.

Anonymoussays:

This Happened To Me Last Year

And it was pretty annoying. I got off easy because all they had access to my PayPal account and all they did was buy a 600 dollar pair of shoes before I caught it. I’m not sure that I’m mad at the FCC or mobile carriers about it though.

2FA is tough to setup in a way that’s both secure and easy to use. I personally like trying things to the fingerprint sensor on my phone and in general prefer MFA tied to physical items that are hard to move/duplicate. I also understand that this is annoying and difficult for many users.

As a whole SIM hijacking is bad but maybe we just overly rely on SIM cards. Maybe that’s the issue at hand.

Tom Fitzmauricesays:

duh and double duh

Before the time of SIM Hijacking before the time of 2FA there was number portability and the ease of moving from one carrier to another. Number portability was optimized for ease of porting at the expense of ensuring customer validation by FCC rule because carriers wanted to make portability harder. So before we Duh and Double Duh current state, please keep in mind the balance of ease of use of porting with security. I’m willing to bet now that the rules changes will anger people because porting will become harder.

TaboTokasays:

Not exactly

while deregulation can help improve functional, competitive, healthy markets

This only works in very limited way. Capitalism is driven via two primary pressures:

  1. Expansion (healthy: offering something the competition doesn’t vs. unhealthy: buying the competition).
  2. Reducing costs/increasing revenue

Number 2 works only as long as #1 doesn’t. The moment there aren’t enough competitors to keep the players actually competing (on price, service, quality, etc), then price will increase and service & quality will decrease.

Capitalism has built-in pressures to drive down to zero expenses and drive up to maximum revenue.

Government regulation can cap prices, forcing companies to compete on service, quality and amenities. Anyone who flew before deregulation knows what I’m talking about.

Without any regulation, #1 results in Lord of the Flies cannibalism.

PaulTsays:

Re: Move Two Factor Authentication to Google Voice

So… to be safe don’t depend on your normal workflow, just hand everything over to Google and hope those new accounts don’t get lost or compromised?

"Depending on your mobile phone is too risky because you have no backup if you lose it"

Only if you haven’t set up any regular backups, which are usually activated by default in most modern devices. Also, you’re paranoid about using a phone as a single point of failure, but you’re OK using a laptop as the same single point of failure?

James Burkhardtsays:

Re: Not exactly

Lets look at that full quote for a moment:

But as we’ve established for years, while deregulation can help improve functional, competitive, healthy markets, that’s not what U.S. telecom is.

you’ve expanded on the point being made in the article, but cropped your quote so as to imply Techdirt has claimed the opposite. Contextually, the quote says that "while deregulation can help improve functional, competitive, healthy markets", US Telecom is not a "functional, competitive, healthy market".

Stating deregulation doesn’t work in an environment without competition is exactly what Techdirt was saying. Why you’ve positioned your commentary in opposition to Techdirt’s commentary, rather than as supportive of Techdirt’s commentary is unclear.

James Burkhardtsays:

Re:

Under that logic, Ron Wyden years ago? Its in the article as something he has been agitating about for years. I imagine congressional reps are constant targets for these kinds of attacks, and anyone concerned for their own well-being should be concerned with this issue on pure self interest and I really am struggling to see why you don’t think any of them might be self-interested before they get simjacked. I’ve always been surprised their own self interest hasn’t motivated similar thinking more often in these cases.

Anonymoussays:

Re: duh and double duh

Indeed.

Something else to remind everyone: even if you lock your SIM card (you should), this won’t prevent SIM Hijacking, as SIM Hijacking isn’t actually SIM Hijacking — it’s the phone account on the telco’s side that gets hijacked, and the registered SIM on the account gets replaced with one belonging to the attacker.

Personally, I think I would have been happier if each SIM had a number slaved to it, and if you get a new SIM, you get a new number. This could be routed around with eSIMs, where you can move your electronic SIM between devices without requiring a physical card.

That Anonymous Cowardsays:

Re: Re:

Because every corporation providing them any service tends to put big flashing warning lights on their accounts.
They are handed a special Comcast help number to use when they have a problem with their service, which gets them the white glove service they think we all get.
This isn’t an anomaly, its feeds into the bubble Congress operates in where they think everything is fine, because they never had that problem.
Ron Wyden is an anomaly because he actually seems to give a shit how these things harm lots of citizens, the cost to stop it isn’t that great, but without a law forcing them to do it corporations won’t because it might lower stock price by .003 cents.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...