One of the more devastating ways a hacker can ruin your life is through a SIM-swapping attack. By hijacking access to your mobile phone number, the criminal can receive your text messages, and potentially break into your internet accounts.
But in some good news, the Federal Communications Commission plans to begin a formal rulemaking process to stop SIM-swapping attacks, citing the growing danger and complaints from victims themselves.
“The FCC has received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM-swapping and port-out fraud,” the commission said. “In addition, recent data breaches have exposed customer information that could potentially make it easier to pull off these kinds of attacks.”
SIM-swapping attacks happen when employees at US cellular providers are tricked or sometimes even bribed to make changes to your account. The hackers will pretend to be you, and they’ll convince your carrier to transfer your mobile phone number to their own smartphone.
To pull this off, the hacker can rely on information exposed in past data breaches, which can reveal your birth date, residential address, and—in the worst cases—your Social Security number. If the cellular provider falls for the scheme, the company will transfer your phone number to a new SIM card that the hackers can plug into their device.
The hacker can then use your mobile phone number to break into your internet accounts because cell numbers are often used to receive password reset codes. This most famously occurred to Twitter CEO Jack Dorsey back in 2019.
“Once they do, they can use your phone number to divert your incoming messages and easily complete the kind of two-factor authentication checks that financial institutions and social media companies use,” FCC Acting Chairwoman Jessica Rosenworcel said in a statement. “They also can be used to take over your email and drain your bank accounts.”
In response, the FCC wants to tighten the rules for how carriers handle mobile phone number transferring. This will include requiring cellular providers to securely authenticate a customer before transferring a phone number to a new device or separate mobile carrier. “We also propose that carriers immediately notify customers whenever a SIM change or port request has been made,” Rosenworcel says.
However, the FCC still needs to hammer out the effective safeguards, which could take a variety of forms. For example, the FCC is seeking comment "on requiring up to a 24-hour delay (or other period of time) for SIM swap requests while notifying the customer via text message, e-mail, through the carrier’s app, or other push notification, and requesting verification of the request.
"Additionally, we seek comment on whether we should impose customer service, training, and/or transparency requirements specifically focused on preventing SIM swap fraud," the FCC said. "Anecdotal evidence suggests that, in some cases, customer service representatives are not trained on procedures to deal with customers who have been victims of SIM swap fraud."
As a result, the rulemaking process will take some time, and requires first asking for public comment, before the FCC can finalize the proposed regulations and proceed with a vote. In the meantime, consumers can check out the FTC or FBI for tips on how to prevent SIM swapping.