Export Compliance Daily is a Warren News publication.
Subscriber Login
Safeguards 'Too Optional'?

SIM Swapping NPRM Seen Getting 4-0 Support

September 29, 2021 by Matt Daneman|Top News

FCC officials told us 4-0 approval is likely at Thursday's monthly meeting of a draft NPRM on SIM swapping and port-out fraud (see 2109230080). Commissioner Brendan Carr's office said it expressed support for the item when it was on circulation, before being added last week to the September agenda. Commissioner Geoffrey Starks' office told us he's seeking two changes to the order. One is a request for comment about whether the FCC, when looking at authentication standards, should incorporate National Institute of Standards and Technology standards or opt for another set. Another change would be a request for comment about subsequent audits for compliance for any requirements adopted.

The draft NPRM seeks comment on ways the FCC could require multifactor authentication when a carrier is carrying out a SIM swap, such as a one-time passcode sent via text, an official said. It asks about procedures for failed authentication attempts, we're told. The draft NPRM asks about ways the FCC can require providers to take extra steps before porting a number to another carrier, the official said. An official said the document asks questions about strengthening customer proprietary network information and number-porting rules as well as other consumer protection measures. The agency hasn't made the draft item public.

The FCC told us it has received numerous complaints from consumers who suffered “significant distress, inconvenience and financial harm” from SIM swapping. That's tricking a wireless carrier to transfer a victim's service from the victim's mobile phone to a cellphone in the scammer's possession. Another area of concern, port-out fraud, is when a scammer, posing as the victim, opens an account with a carrier and arranges for the victim's phone number to be transferred or “ported out” to the new carrier and controlled by the scammer. The commission said recent data breaches have exposed customer information that could make those types of attacks easier.

Carrier-wide identity-proofing to prove people are who they say they are is a must for tackling SIM swap and port-out frauds, said Robert Siciliano, ProtectNow cyber social identity protection instructor. He said carriers have basic safeguards like knowledge-based identification or two-factor authentication, but they should be required to have a full suite of verification and authentication tools. He said requiring two-factor authentication in most instances should be mandatory. “A lot of it is too optional,” he said. “It needs to be standard.” CTIA didn't comment.

Yet such verification and authentication steps don't pass “the grandmother test” and can be a challenge to less tech-savvy consumers, Siciliano said. “It would lock a certain segment of the population out of their accounts,” and they're often particularly vulnerable to scams, he said. He said SIM swapping isn't a huge problem currently, and carriers mightn't want to make changes. He said the FCC proceeding is proactive, and needs to be, as the potential level of financial fraud could be sizable for victims.