In 2019, Twitter CEO Jack Dorsey tweeted that "nazi germany did nothing wrong."
He didn't actually do that, though. According to a detailed Wired report, he was the victim of a SIM swap that involved hackers getting hold of his mobile phone account and then using it to access his other accounts, including his Twitter account.
Of course, Twitter's Dorsey isn't the only victim of a SIM swapping hack attack. Indeed, there are a variety of reports of hackers using the practice to steal hundreds of millions of dollars in cryptocurrency, among other illicit activities.
"The FCC has received numerous complaints from consumers who have suffered significant distress, inconvenience and financial harm as a result of SIM swapping and port-out fraud," the agency wrote earlier this year. "In addition, recent data breaches have exposed customer information that could potentially make it easier to pull off these kinds of attacks."
That's likely a tacit nod to a recent massive hack into T-Mobile's systems.
But concerns over SIM swap fraud came to a head last year when researchers at Princeton University reported the results of their own SIM swap attempts. They said they contacted customer service representatives from Verizon, AT&T and T-Mobile – and, in all 30 cases, were able to successfully move phone numbers to new SIM cards.
In come the feds
As a result, the FCC earlier this year said it would probe the issue to see whether it needs to issue new rules to prevent SIM swapping. After all, mobile carriers like AT&T, T-Mobile and Verizon ultimately hold the keys to their customers' phone accounts, and texting is widely used as the second factor in two-factor authentication procedures to secure everything from social media handles to bank accounts.
"We believe that our CPNI [customer proprietary network information] and number porting rules are ripe for updates that could help prevent SIM swapping and port-out fraud," the FCC wrote of its plan to probe the topic. "We propose to prohibit wireless carriers from effectuating a SIM swap unless the carrier uses a secure method of authenticating its customer. We also propose to amend our CPNI rules to require wireless carriers to develop procedures for responding to failed authentication attempts and to notify customers immediately of any requests for SIM changes. We also seek comment on whether we should impose customer service, training and transparency requirements specifically focused on preventing SIM swap fraud. We likewise propose to amend our number porting rules to combat port-out fraud while continuing to encourage robust competition through efficient number porting."
At the FCC, the issue has the support of Jessica Rosenworcel, President Biden's pick to head the agency. "We can help fix this," she said earlier this year. "I look forward to the record that develops and putting an end to this cyber fraud."
In filings to the FCC this week, all of the nation's top carriers, as well as their trade groups, responded to the agency's probe. In general, they argued that they're already working to prevent SIM swaps and that such hacks are extremely rare anyway. They also warned that extensive government mandates on the topic could hinder some of their efforts.
"Any new rules should thus afford providers with the flexibility to nimbly prevent, detect and respond to fraudulent activities, while not unnecessarily burdening customers during the overwhelming majority of legitimate SIM change and porting transactions," Verizon told the agency.
Here are some of the practices each of the big wireless network operators said they're employing to protect their customers from SIM swaps and other fraud.
- "Retail employees in many situations no longer simply review a government-issued ID presented by the customer. Instead, they may scan the customer's ID using technology that looks for indications of authenticity (or lack thereof)."
- "AT&T has leveraged data analytics to develop a sophisticated risk-scoring model for certain postpaid transactions. The model assigns a real-time transaction-specific risk score to certain transactions requested by a customer, including SIM changes and port-outs. The assigned score may trigger heightened authentication requirements or additional fraud prevention and mitigation techniques ... prior to allowing completion of the requested transaction."
- "For transactions meeting a specific threshold in the risk model, AT&T may use one or more forms of notification and related measures. At one threshold, AT&T sends no-charge SMS notifications – one-way communications sent to alert postpaid customers that their number was involved in a potentially unauthorized SIM swap or port-out transaction. Such notifications do not stop the transaction, but they alert customers that a potentially unauthorized SIM swap or port-out has been completed. At a higher risk threshold, AT&T uses SMS confirmations – two-way, no-charge communications sent to postpaid customers asking them to approve or reject a pending SIM swap or port-out transaction."
- "Verizon's general customer care efforts include procedures like encouraging consumers to download and set up the MyVerizon app to enable important protection features and push notification-based authentication. Using the app, customers may easily establish two-factor authentication for online account and customer care access while also using locally-stored biometric information (e.g., device-native fingerprint or faceprintID) to securely log into the app."
- "Verizon also trains all customer care employees to identify and prevent unauthorized SIM change attempts through the use of multiple authentication protocols. Verizon makes all efforts to properly authenticate customers and minimizes the number of employees who have a legitimate business need to access accounts without customer authentication. Two-employee sign-off can be appropriate in circumstances when other authentication methods are unavailable, and Verizon trains select employees to assist customers this way."
- "T-Mobile customers set up an individual 6-to-15 digit PIN that can be used to verify the customer's identity when calling customer service. As the Commission notes, T-Mobile customers must provide their PIN when requesting a port-out associated with that account. Most customers that choose to create a TMobile ID for use on My.T-Mobile.com or with the My T-Mobile app have the option of setting up multi-factor authentication (MFA) using methods, including security questions, SMS, or device-based biometrics such as Face ID or fingerprint recognition on devices that support such features."
- "T-Mobile proactively bolstered authentication practices following release of research associated with the Princeton University study cited by the FCC. The research identified an emerging potential insecurity in using call logs for customer authentication. As noted in the final published paper, T-Mobile subsequently discontinued the use of call logs for customer authentication and notified the researchers."
- "Qualifying customers may wish to enable safeguards such as setting up account takeover protection – a free feature that prohibits unauthorized users from porting the customer's phone line to another wireless carrier. In addition, for most types of customers, T-Mobile can institute a 'SIM change block' that helps protect the customer's SIM from being used in other devices. T-Mobile may activate SIM change blocking in cases of high-risk such as where the user has previously been a victim of fraud."
Broadly, the carriers and their primary trade association – CTIA – argued that the FCC shouldn't only focus on wireless network operators. "All stakeholders in the mobile and Internet ecosystem must play their part to protect consumers. Wireless providers cannot be the only line of defense against criminal fraudsters and scammers behind SIM swapping and port-out fraud, which are often part of broader schemes to do harm to consumers," CTIA told the FCC.
- New SIM Swap Hacks Highlight Carriers' Wobbly Security
- T-Mobile admits breach after epic hacking claims
- Biden announces long-awaited nominees for vacant FCC and NTIA posts