FCC Finally Gets Off Its Ass To Combat SIM Hijacking
from the better-late-than-never dept
So for years we've talked about the growing threat of SIM hijacking, which involves an attacker covertly porting out your phone number from right underneath your nose (sometimes with the help of bribed or conned wireless carrier employees). Once they have your phone identity, they have access to most of your personal accounts secured by two-factor SMS authentication, opening the door to the theft of social media accounts or the draining of your cryptocurrency account. If you're really unlucky, the hackers will harrass the hell out of you in a bid to extort you even further.
It's a huge mess, and the both the criminal complaints -- and lawsuits against wireless carriers for not doing more to protect their users -- have been piling up for several years. For several years, Senators like Ron Wyden have been sending letters to the FCC asking the nation's top telecom regulator to, you know, do something. After years of inaction the agency appears to have gotten the message, announcing a new plan to at least consider some new rules to make SIM hijacking more difficult.
Most of the proposal involves nudging wireless carriers to do things they should have done long ago. Such as updating FCC Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require wireless carriers adopt secure methods of confirming the customer’s identity before porting out a customer’s phone number to a new device or carrier (duh). As well as requiring that wireless carriers immediately notify you when somebody tries to port out your phone number without your permission (double duh):
"The FCC’s proposal would also require that wireless providers immediately notify customers whenever a SIM change or port request is made on customers’ accounts. That this wasn’t yet industry standard practice—or covered by FCC rules—speaks to the sluggishness with which the government and industry have responded to the problem."
Again, this lack of action until now was fairly reflective of the Ajit Pai school of thought on telecom policy, which basically involved coddling major telecom companies in the misguided belief that this regulatory apathy somehow results in free market utopia. But as we've established for years, while deregulation can help improve functional, competitive, healthy markets, that's not what U.S. telecom is. It's a bunch of government-coddled regional monopolies and duopolies, that, thanks to increased consolidation, face increasingly less meaningful competition. When you remove both competition (and pro-competitive policies) and regulatory oversight, you don't get a miraculous free market, you usually get... a bigger, fatter Comcast.
Note these aren't actual rules yet, it's just the beginning of new rules. The Rosenworcel FCC is basically doing the bare minimum here to start the ball rolling, launching a Notice of Proposed Rulemaking (NPRM) to begin discussing the path forward. That this wasn't even contemplated until now speaks volumes as to the state of U.S. telecom regulatory oversight. Folks have been having vast fortunes stolen from under their noses for several years (seriously read this story) because wireless carriers failed to secure their own services, and the response from the U.S. government until now had been a giant, collective yawn.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: fcc, sim hijacking
Reader Comments
Subscribe: RSS
View by: Time | Thread
Move Two Factor Authentication to Google Voice
Don't use your mobile phone for 2FA to your most important web sites (bank, investment, email, ...).
Create a new Google account and access it on a different browser than you normally use. I normally use Firefox, but I use Chrome for my Google accounts.
Setup Gmail and Google Voice and use that GV number for your 2FA phone.
Then you can use your laptop to access your bank and get your OTP six digit code.
Google Voice is accessible on all your devices. Depending on your mobile phone is too risky because you have no backup if you lose it. For the same reason I switched from Google Auth to Authy because I could more easily setup backup access.
[ link to this | view in chronology ]
Re: Move Two Factor Authentication to Google Voice
So... to be safe don't depend on your normal workflow, just hand everything over to Google and hope those new accounts don't get lost or compromised?
"Depending on your mobile phone is too risky because you have no backup if you lose it"
Only if you haven't set up any regular backups, which are usually activated by default in most modern devices. Also, you're paranoid about using a phone as a single point of failure, but you're OK using a laptop as the same single point of failure?
[ link to this | view in chronology ]
This Happened To Me Last Year
And it was pretty annoying. I got off easy because all they had access to my PayPal account and all they did was buy a 600 dollar pair of shoes before I caught it. I'm not sure that I'm mad at the FCC or mobile carriers about it though.
2FA is tough to setup in a way that's both secure and easy to use. I personally like trying things to the fingerprint sensor on my phone and in general prefer MFA tied to physical items that are hard to move/duplicate. I also understand that this is annoying and difficult for many users.
As a whole SIM hijacking is bad but maybe we just overly rely on SIM cards. Maybe that's the issue at hand.
[ link to this | view in chronology ]
duh and double duh
Before the time of SIM Hijacking before the time of 2FA there was number portability and the ease of moving from one carrier to another. Number portability was optimized for ease of porting at the expense of ensuring customer validation by FCC rule because carriers wanted to make portability harder. So before we Duh and Double Duh current state, please keep in mind the balance of ease of use of porting with security. I'm willing to bet now that the rules changes will anger people because porting will become harder.
[ link to this | view in chronology ]
Re: duh and double duh
Indeed.
Something else to remind everyone: even if you lock your SIM card (you should), this won't prevent SIM Hijacking, as SIM Hijacking isn't actually SIM Hijacking -- it's the phone account on the telco's side that gets hijacked, and the registered SIM on the account gets replaced with one belonging to the attacker.
Personally, I think I would have been happier if each SIM had a number slaved to it, and if you get a new SIM, you get a new number. This could be routed around with eSIMs, where you can move your electronic SIM between devices without requiring a physical card.
[ link to this | view in chronology ]
Not exactly
This only works in very limited way. Capitalism is driven via two primary pressures:
Number 2 works only as long as #1 doesn't. The moment there aren't enough competitors to keep the players actually competing (on price, service, quality, etc), then price will increase and service & quality will decrease.
Capitalism has built-in pressures to drive down to zero expenses and drive up to maximum revenue.
Government regulation can cap prices, forcing companies to compete on service, quality and amenities. Anyone who flew before deregulation knows what I'm talking about.
Without any regulation, #1 results in Lord of the Flies cannibalism.
[ link to this | view in chronology ]
Re: Not exactly
Lets look at that full quote for a moment:
you've expanded on the point being made in the article, but cropped your quote so as to imply Techdirt has claimed the opposite. Contextually, the quote says that "while deregulation can help improve functional, competitive, healthy markets", US Telecom is not a "functional, competitive, healthy market".
Stating deregulation doesn't work in an environment without competition is exactly what Techdirt was saying. Why you've positioned your commentary in opposition to Techdirt's commentary, rather than as supportive of Techdirt's commentary is unclear.
[ link to this | view in chronology ]
This is literally the opposite of "SIM hijacking". It's the account (or phone number) being hijacked, not the SIM.
[ link to this | view in chronology ]
Re:
IIRC, there's 2 ways to get access to your phone number.
You either get the number and swap the SIM card (which is what is being talked about here), or you get the number and redirect the SMSes through an SMS redirect service.
I doubt the FCC is fast enough to tackle the other issue.
[ link to this | view in chronology ]
Which member of Congress got simjacked?
We know this is the only reason they ever do anything that might accidentally benefit citizens.
[ link to this | view in chronology ]
Re:
Under that logic, Ron Wyden years ago? Its in the article as something he has been agitating about for years. I imagine congressional reps are constant targets for these kinds of attacks, and anyone concerned for their own well-being should be concerned with this issue on pure self interest and I really am struggling to see why you don't think any of them might be self-interested before they get simjacked. I've always been surprised their own self interest hasn't motivated similar thinking more often in these cases.
[ link to this | view in chronology ]
Re: Re:
Because every corporation providing them any service tends to put big flashing warning lights on their accounts.
They are handed a special Comcast help number to use when they have a problem with their service, which gets them the white glove service they think we all get.
This isn't an anomaly, its feeds into the bubble Congress operates in where they think everything is fine, because they never had that problem.
Ron Wyden is an anomaly because he actually seems to give a shit how these things harm lots of citizens, the cost to stop it isn't that great, but without a law forcing them to do it corporations won't because it might lower stock price by .003 cents.
[ link to this | view in chronology ]
I look forward to being required to tell the CSR my Social Security Number and Mother's Maiden Name, both of which are highly secret and therefore excellent for confirming my identity.
[ link to this | view in chronology ]
Re:
You might be confused, that is the reality right now, and they are as you sarcastically pointed out, bad. The demand is that these methods get replaced by actually good methods for dealing with identification.
[ link to this | view in chronology ]
Re:
No they'll just send a 6 digit pin to your existing phone via their highly secure SMS aggregation service.
[ link to this | view in chronology ]
"...Ajit Pai school of thought on telecom policy, which basically involved coddling major telecom companies in the misguided belief that this regulatory apathy somehow results in free market utopia."
It is a free market utopia. For big telecom.
[ link to this | view in chronology ]
grateful that FCC finally acting on this, or so it appears but until Biden gets off his big round one and sorts the new appointment to the FCC so real issues can get sorted out, most importantly, Net Neutrality reinstatement, we're just living in hope all the time
[ link to this | view in chronology ]