For years Motherboard has documented the rampant fraud made possible by SIM hijacking, or the act of covertly porting out a user’s phone number to a new device or carrier—without consumer awareness or approval. Now the FCC says it’s finally taking preliminary steps to reduce both the frequency of the attacks, and the account and identity theft that usually follows.
According to the FCC announcement, the agency is launching a Notice of Proposed Rulemaking (NPRM) to begin discussing the path forward. Note that this is just a proposal to discuss implementing new rules; any actual rule updates could still be a year or two away and require a majority commissioner vote.
“The FCC has received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud,” the agency said. “In addition, recent data breaches have exposed customer information that could potentially make it easier to pull off these kinds of attacks.”
The FCC’s proposal would update existing Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require wireless carriers adopt secure methods of confirming the customer’s identity before porting out a customer’s phone number to a new device or carrier.
The FCC’s proposal would also require that wireless providers immediately notify customers whenever a SIM change or port request is made on customers’ accounts. That this wasn’t yet industry standard practice—or covered by FCC rules—speaks to the sluggishness with which the government and industry have responded to the problem.
Historically, being a victim of SIM hijacking is usually only the beginning. Attackers that obtain a user’s phone identity often then proceed to hijack not only user social media, and cryptocurrency accounts, but often engage in obnoxious harassment campaigns demanding victims make additional sacrifices to regain control of their digital footprints.
As Motherboard has documented for years, an entire underground subculture exists in which accounts and identities stolen via SIM hijacking are traded and sold. Often, the attacks are made possible by wireless industry employees that have been bribed or conned into helping facilitate the number transfers.
Wireless carriers have been repeatedly sued for failing to protect consumers from the scams. AT&T was hit with a $220 million lawsuit in 2018, and another $1.8 million lawsuit in 2019 by users who saw their cryptocurrency accounts drained in the wake of SIM hijacking. T-Mobile has also been hit with several similar lawsuits this year alone.
As the number of attacks grew, carriers belatedly began implementing tighter security precautions. In 2019, T-Mobile began highlighting hidden settings that could help protect consumers, but only after their lack of use were profiled by Motherboard. Last year, Verizon implemented a new feature dubbed “Number Lock,” allowing users to press a single button to restrict number porting from within the Verizon app.
In 2019, Congress began pressuring the FCC to do more. After no meaningful action, lawmakers wrote the agency again last year urging it to protect U.S. consumers and hold companies accountable for dodgy privacy and security practices.
“Consumers have no choice but to rely on phone companies to protect them against SIM swaps—and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers,” the lawmakers wrote.
While it took several years, rampant theft, and a growing mountain of criminal complaints, the FCC appears to have finally gotten the message.