FCC Finally Gets Off Its Ass To Combat SIM Hijacking

from the better-late-than-never dept

So for years we've talked about the growing threat of SIM hijacking, which involves an attacker covertly porting out your phone number from right underneath your nose (sometimes with the help of bribed or conned wireless carrier employees). Once they have your phone identity, they have access to most of your personal accounts secured by two-factor SMS authentication, opening the door to the theft of social media accounts or the draining of your cryptocurrency account. If you're really unlucky, the hackers will harrass the hell out of you in a bid to extort you even further.

It's a huge mess, and the both the criminal complaints -- and lawsuits against wireless carriers for not doing more to protect their users -- have been piling up for several years. For several years, Senators like Ron Wyden have been sending letters to the FCC asking the nation's top telecom regulator to, you know, do something. After years of inaction the agency appears to have gotten the message, announcing a new plan to at least consider some new rules to make SIM hijacking more difficult.

Most of the proposal involves nudging wireless carriers to do things they should have done long ago. Such as updating FCC Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require wireless carriers adopt secure methods of confirming the customer’s identity before porting out a customer’s phone number to a new device or carrier (duh). As well as requiring that wireless carriers immediately notify you when somebody tries to port out your phone number without your permission (double duh):

"The FCC’s proposal would also require that wireless providers immediately notify customers whenever a SIM change or port request is made on customers’ accounts. That this wasn’t yet industry standard practice—or covered by FCC rules—speaks to the sluggishness with which the government and industry have responded to the problem."

Again, this lack of action until now was fairly reflective of the Ajit Pai school of thought on telecom policy, which basically involved coddling major telecom companies in the misguided belief that this regulatory apathy somehow results in free market utopia. But as we've established for years, while deregulation can help improve functional, competitive, healthy markets, that's not what U.S. telecom is. It's a bunch of government-coddled regional monopolies and duopolies, that, thanks to increased consolidation, face increasingly less meaningful competition. When you remove both competition (and pro-competitive policies) and regulatory oversight, you don't get a miraculous free market, you usually get... a bigger, fatter Comcast.

Note these aren't actual rules yet, it's just the beginning of new rules. The Rosenworcel FCC is basically doing the bare minimum here to start the ball rolling, launching a Notice of Proposed Rulemaking (NPRM) to begin discussing the path forward. That this wasn't even contemplated until now speaks volumes as to the state of U.S. telecom regulatory oversight. Folks have been having vast fortunes stolen from under their noses for several years (seriously read this story) because wireless carriers failed to secure their own services, and the response from the U.S. government until now had been a giant, collective yawn.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: fcc, sim hijacking


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    kwe (profile), 6 Oct 2021 @ 6:51am

    Move Two Factor Authentication to Google Voice

    Don't use your mobile phone for 2FA to your most important web sites (bank, investment, email, ...).
    Create a new Google account and access it on a different browser than you normally use. I normally use Firefox, but I use Chrome for my Google accounts.
    Setup Gmail and Google Voice and use that GV number for your 2FA phone.
    Then you can use your laptop to access your bank and get your OTP six digit code.
    Google Voice is accessible on all your devices. Depending on your mobile phone is too risky because you have no backup if you lose it. For the same reason I switched from Google Auth to Authy because I could more easily setup backup access.

    link to this | view in chronology ]

    • icon
      PaulT (profile), 6 Oct 2021 @ 7:38am

      Re: Move Two Factor Authentication to Google Voice

      So... to be safe don't depend on your normal workflow, just hand everything over to Google and hope those new accounts don't get lost or compromised?

      "Depending on your mobile phone is too risky because you have no backup if you lose it"

      Only if you haven't set up any regular backups, which are usually activated by default in most modern devices. Also, you're paranoid about using a phone as a single point of failure, but you're OK using a laptop as the same single point of failure?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2021 @ 7:37am

    This Happened To Me Last Year

    And it was pretty annoying. I got off easy because all they had access to my PayPal account and all they did was buy a 600 dollar pair of shoes before I caught it. I'm not sure that I'm mad at the FCC or mobile carriers about it though.

    2FA is tough to setup in a way that's both secure and easy to use. I personally like trying things to the fingerprint sensor on my phone and in general prefer MFA tied to physical items that are hard to move/duplicate. I also understand that this is annoying and difficult for many users.

    As a whole SIM hijacking is bad but maybe we just overly rely on SIM cards. Maybe that's the issue at hand.

    link to this | view in chronology ]

  • icon
    Tom Fitzmaurice (profile), 6 Oct 2021 @ 7:47am

    duh and double duh

    Before the time of SIM Hijacking before the time of 2FA there was number portability and the ease of moving from one carrier to another. Number portability was optimized for ease of porting at the expense of ensuring customer validation by FCC rule because carriers wanted to make portability harder. So before we Duh and Double Duh current state, please keep in mind the balance of ease of use of porting with security. I'm willing to bet now that the rules changes will anger people because porting will become harder.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Oct 2021 @ 12:35pm

      Re: duh and double duh

      Indeed.

      Something else to remind everyone: even if you lock your SIM card (you should), this won't prevent SIM Hijacking, as SIM Hijacking isn't actually SIM Hijacking -- it's the phone account on the telco's side that gets hijacked, and the registered SIM on the account gets replaced with one belonging to the attacker.

      Personally, I think I would have been happier if each SIM had a number slaved to it, and if you get a new SIM, you get a new number. This could be routed around with eSIMs, where you can move your electronic SIM between devices without requiring a physical card.

      link to this | view in chronology ]

  • icon
    TaboToka (profile), 6 Oct 2021 @ 8:50am

    Not exactly

    while deregulation can help improve functional, competitive, healthy markets

    This only works in very limited way. Capitalism is driven via two primary pressures:

    1. Expansion (healthy: offering something the competition doesn't vs. unhealthy: buying the competition).
    2. Reducing costs/increasing revenue

    Number 2 works only as long as #1 doesn't. The moment there aren't enough competitors to keep the players actually competing (on price, service, quality, etc), then price will increase and service & quality will decrease.

    Capitalism has built-in pressures to drive down to zero expenses and drive up to maximum revenue.

    Government regulation can cap prices, forcing companies to compete on service, quality and amenities. Anyone who flew before deregulation knows what I'm talking about.

    Without any regulation, #1 results in Lord of the Flies cannibalism.

    link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 6 Oct 2021 @ 9:17am

      Re: Not exactly

      Lets look at that full quote for a moment:

      But as we've established for years, while deregulation can help improve functional, competitive, healthy markets, that's not what U.S. telecom is.

      you've expanded on the point being made in the article, but cropped your quote so as to imply Techdirt has claimed the opposite. Contextually, the quote says that "while deregulation can help improve functional, competitive, healthy markets", US Telecom is not a "functional, competitive, healthy market".

      Stating deregulation doesn't work in an environment without competition is exactly what Techdirt was saying. Why you've positioned your commentary in opposition to Techdirt's commentary, rather than as supportive of Techdirt's commentary is unclear.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2021 @ 8:59am

    The FCC’s proposal would also require that wireless providers immediately notify customers whenever a SIM change or port request is made on customers’ accounts.

    This is literally the opposite of "SIM hijacking". It's the account (or phone number) being hijacked, not the SIM.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Oct 2021 @ 5:58am

      Re:

      IIRC, there's 2 ways to get access to your phone number.

      You either get the number and swap the SIM card (which is what is being talked about here), or you get the number and redirect the SMSes through an SMS redirect service.

      I doubt the FCC is fast enough to tackle the other issue.

      link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 6 Oct 2021 @ 9:13am

    Which member of Congress got simjacked?
    We know this is the only reason they ever do anything that might accidentally benefit citizens.

    link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 6 Oct 2021 @ 9:23am

      Re:

      Under that logic, Ron Wyden years ago? Its in the article as something he has been agitating about for years. I imagine congressional reps are constant targets for these kinds of attacks, and anyone concerned for their own well-being should be concerned with this issue on pure self interest and I really am struggling to see why you don't think any of them might be self-interested before they get simjacked. I've always been surprised their own self interest hasn't motivated similar thinking more often in these cases.

      link to this | view in chronology ]

      • icon
        That Anonymous Coward (profile), 7 Oct 2021 @ 10:23am

        Re: Re:

        Because every corporation providing them any service tends to put big flashing warning lights on their accounts.
        They are handed a special Comcast help number to use when they have a problem with their service, which gets them the white glove service they think we all get.
        This isn't an anomaly, its feeds into the bubble Congress operates in where they think everything is fine, because they never had that problem.
        Ron Wyden is an anomaly because he actually seems to give a shit how these things harm lots of citizens, the cost to stop it isn't that great, but without a law forcing them to do it corporations won't because it might lower stock price by .003 cents.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2021 @ 9:54am

    require wireless carriers adopt secure methods of confirming the customer’s identity before porting out

    I look forward to being required to tell the CSR my Social Security Number and Mother's Maiden Name, both of which are highly secret and therefore excellent for confirming my identity.

    link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 6 Oct 2021 @ 10:04am

      Re:

      I look forward to being required to tell the CSR my Social Security Number and Mother's Maiden Name

      You might be confused, that is the reality right now, and they are as you sarcastically pointed out, bad. The demand is that these methods get replaced by actually good methods for dealing with identification.

      link to this | view in chronology ]

    • identicon
      Bruce C., 6 Oct 2021 @ 12:12pm

      Re:

      No they'll just send a 6 digit pin to your existing phone via their highly secure SMS aggregation service.

      link to this | view in chronology ]

  • identicon
    Pixelation, 6 Oct 2021 @ 6:22pm

    "...Ajit Pai school of thought on telecom policy, which basically involved coddling major telecom companies in the misguided belief that this regulatory apathy somehow results in free market utopia."

    It is a free market utopia. For big telecom.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Oct 2021 @ 7:03am

    grateful that FCC finally acting on this, or so it appears but until Biden gets off his big round one and sorts the new appointment to the FCC so real issues can get sorted out, most importantly, Net Neutrality reinstatement, we're just living in hope all the time

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.