A group of Senators and Representatives have asked the Federal Communications Commission to require wireless carriers to protect consumers from having their phones hijacked via SIM swapping.
SIM swapping refers to a type of fraud where scammers convince the wireless carrier to transfer mobile accounts from one person to another. Carriers assign phone numbers to cell phones via SIM cards, so if someone convinces the carrier that something happened to the original device, the carrier can assign the phone number to the SIM in the new phone. It’s that simple to game the authentication-by-phone-number scheme, and the original owner loses control of the phone number entirely. With full control of the phone number, the fraudster can intercept SMS messages that are sent as a type of two-factor authentication to log into accounts or to reset passwords.
To put into context, many banks rely on SMS messages for two-factor authentication. Attackers can use the messages to fraudulently log into bank accounts and steal money. Criminals are estimated to have stolen tens of millions of dollars by emptying bank accounts or cryptocurrency wallets this way.
“Consumers have no choice but to rely on phone companies to protect them against SIM swaps—and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers,” said the letter to the FCC, which was authored by Sen. Ron Wyden (D-Ore.) and signed by Sens. Sherrod Brown (D-Ohio), and Edward J. Markey (D-Mass), and Reps. Anna G. Eshoo (D-Calif.), Yvette D. Clarke (D-N.Y.), and Ted Lieu (D-Calif.).
In the letter, the lawmakers urged FCC Chairman Ajit Pai to use the agency’s regulatory authority over wireless carriers to address the problem. The lawmakers wanted to know if the FCC currently tracks consumer complaints about SIM swapping and number port-outs, which refer to the process of moving a phone number from one carrier to another, and whether the agency has initiated any investigations or actions against carriers for failing to protect consumers from these scams.
In some countries, such as the United Kingdom and Mozambique, carriers provide banks with the most recent date the customer changed the SIM for that phoe number. This way, financial institutions can flag potentially suspicious login attempts associated with fraudulent SIM swaps. The lawmakers asked in the letter to the FCC whether U.S. federal regulations would prevent mobile carriers from setting up this kind of data sharing with financial institutions.
There are legitimate reasons why carriers allow SIM swapping and porting numbers. Customers may have lost their phones, or switched to a new device that requires a different-sized SIM card, so the original one can no longer be used. Customers may want to switch carriers for better deals or services and not want to give up the phone number they are comfortable with. It’s customer service that is also a glaring weakness in the carrier’s processes. Thieves can convince employees into thinking the request was legitimate using simple social engineering tricks. In some cases, the scammers may bribe unscrupulous employees at mobile phone stores to switch customer accounts.
The lawmakers also asked what kind of guidance the carriers provide consumers about this problem. Some carriers allow customers to add security protections to their account that prevent SIM swaps or number porting unless the customer physically goes to a store with a valid ID.
“Unfortunately, implementation of these additional security measures by wireless carriers in the U.S. is still spotty and consumers are not likely to find out about the availability of these obscure, optional security features until it is too late,” the lawmakers’ letter to the FCC said.
The Federal Trade Commission previously issued a warning about SIM swapping back in October. According to FTC data, there were 215 reported SIM swap incidents in 2016, and at least 728 in 2019. However, the lawmakers noted in the letter that not everyone files a complaint (or knows how to) so the reported number of complaints should be viewed as just a fraction of the actual number of incidents.
Twitter CEO Jack Dorsey lost control of his phone number for about 15 minutes, during which the scammers posted vulgar messages online purporting to be him.
Back in 2018, blockchain investor Michael Terpin claimed a SIM swapping scam caused him to lose $24 million worth of cryptocurrency. Terpin eventually filed a $224 million lawsuit (dismissed by the judge) against wireless carrier AT&T for not doing a better job protecting accounts from fraudulent SIM swapping. There have been a handful of similar lawsuits against carriers over the years.
In October, Terpin wrote an open letter to Pai asking the FCC to to force U.S. mobile carriers to hide customer PINs and passwords from employees and to notify customers ways to secure their accounts.
This isn’t the first time the FCC has been asked to do something about cellphone fraud, and SIM swapping specifically. In an August letter to Pai written by Sen. Amy Klobuchar (D-Minn.), and signed by Sens. Tina Smith (D-Minn.), Ed Markey (D-Mass.), Richard Blumenthal (D-Conn.), John Tester (D-Mont.), Maggie Hassan (D-N.H.), Angus King (I-Maine), Ron Wyden (D-Ore.), and Tammy Duckworth (D-Ill.), the lawmakers noted that the “FCC offers virtually no information to consumers about how to prevent this type of fraud or information about how to seek recourse if they are targeted.”
In this latest letter, Wyden pointed out the national security implications of SIM swapping, as someone who gained control of email or other accounts belonging to a “local public safety official” after hijacking the phone number could potentially “issue emergency alerts using the federal alert and warning system operated by the Federal Emergency Management Agency.”
Wyden requested a response from the FCC by Feb. 14.
“We urge the FCC to initiate a rulemaking to protect consumers from SIM swaps, port outs and other similar methods of account fraud,” the letter said.