FCC Reveals Some Vague Rules That Pretend To Tackle SIM Hijacking Fraud
For years we've talked about the growing threat of SIM hijacking, which involves a criminal covertly porting out your phone number from right underneath your nose (quite often with the help of bribed or connedwireless carrier employees).
Once they have your phone identity, they have access to most of your personal accounts secured by two-factor SMS authentication, opening the door to the theft of social media accounts or the draining of your cryptocurrency account. If you're really unlucky, the hackers willharass the hell out of youin a bid to extort you even further.
It's a huge mess, and the both thecriminal complaints- andlawsuitsagainstwireless carriersfornot doing moreto protect their users - have been piling up for several years. For just as long, Senators like Ron Wyden have beensending lettersto the FCC asking the nation's top telecom regulator to, you know,do its job.
After years of inaction the agency appears to have gotten the message, announcing in 2021 a new plan toconsider some new rules to make SIM hijacking more difficult. Several years later and the FCC finally only just voted to approve new rules. Since a lot of SIM hijacking occurs with help from wireless employees getting bribed by criminals, the rules primarily focus on trying to ensure that consumers are consistently updated:
The rules require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer's phone number to a new device or provider. The new rules require wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers' accounts and take additional steps to protect customers from SIM swap and port-out fraud."
But as with so much the FCC does, the rules are rather vague in a bid to try and avoid upsetting politically powerful wireless carriers. Like the FCC's broadband nutrition labels" (which urge ISPs to be transparent in how they're ripping you off, but do nothing about the fact that ISPs routinely rip you off), the focus is transparency. Like the FCC's digital discrimination order, there's no punishment - or even overt criticism - of companies that have routinely failed to protect private consumer information.
As a result, industry watchers aren't really sure they'll actually do all that much, given they're rather vague on what secure authentication methods" carriers are supposed to adopt, or what penalties carriers will see if they don't clean up their security practices. This all assumes that the FCC will actually enforce the rules in the first place, which, as we've seen with robocall, privacy, and broadband competition issues, is a fairly major and unreliable assumption.