Members Of U.S. Congress Seek FCC Assistance On SIM Swapping Rules And Education
Risk To Enterprise Cyber Security From Increased Mobile Authentication Fraud
Members of U.S. Congress have written a letter to FCC Chairman Ajit Pai urging the commission require wireless carriers to protect consumers from fraud and the theft of their personal data by criminals and foreign governments.
While the request was made on behalf of U.S. consumers, there are extenuating circumstances impacting the security of data, systems and personnel in the enterprise organization that security leaders need to rationalize.
An Exception For Two-Factor Authentication
Consumers are regularly advised by IT and enterprise security teams, government agencies and experts to secure their data, applications and services using two-factor authentication (2FA). These services often use text messages (SMS) as their second factor. But fraudsters are often able to get wireless carriers to transfer the cell phone accounts of victims to them, steal their login credentials and then empty their victims' bank accounts. This method of fraud is known as "SIM swapping".
Security investigator and reporter Brian Krebs wrote on his blog that, “The scam involves bribing or tricking employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.”
See Related: Protect The Enterprise From MFA Attacks
Sizing The SIM Swapping Problem
The impact of this type of fraud is large and rising. According to the Federal Trade Commission (FTC), the number of complaints about SIM swapping has increased dramatically, from 215 reports in 2016 to 728 through November 2019. Official consumer complaints usually only reflect a small fraction of the actual number of incidents. Moreover, according to the Wall Street Journal, “Investigators with the Regional Enforcement Allied Computer Team, a law-enforcement task force in Santa Clara County, said they know of more than 3,000 victims, accounting for $70 million in losses nationwide.”
SIM swapping fraud may also endanger national security. For example, if a cyber-criminal or foreign government uses a SIM swap to hack into the email account of a local public safety official, they could then leverage that access to falsify official activities. Countless other U.S. government websites used by millions of Americans either allow password resets via email or support 2FA via SMS, which can both be exploited by hackers using SIM swapping.
The concern trickles down to organizations and creates risk of account takeover (ATO) in environments that allow employees to utilize their mobile device for accessing enterprise services and data (BYOD).
Lack Of Awareness; Existing Remedies Are Insufficient
Consumers have limited options to protect their wireless accounts from SIM swapping and are often not informed about these options by mobile network operators until after they have been victimized. In some cases, the SIM swaps have been facilitated by corrupt employees working for the phone company. For example, in May of 2019, the Department of Justice (DOJ) indicted several people who had exploited their employee access to the carriers' computers to conduct SIM swaps that defrauded victims of more than $2 million. Consumers currently have no choice but to rely on phone companies to protect them against SIM swaps. The congressional members are looking for the FCC to hold mobile carriers accountable when they fail to secure their systems.
Better Options Are, Unfortunately, Optional
Some wireless carriers, both in the U.S. and abroad, have adopted policies that better protect consumers from SIM swaps, such as allowing customers to add optional security protections to their account that prevent SIM swaps unless the customer visits a store and shows ID as a form of authentication. Other carriers will only conduct SIM swaps after confirming the receipt by the customer of a one-time password (OTP) sent by email or text message. Some network operators in other countries also make SIM swapping data available to financial institutions so that they can take appropriate additional security measures if a customer's SIM has been swapped recently.
What Congress Seeks From The FCC
Unfortunately, implementation of these additional security measures by wireless carriers in the U.S. is optional and most consumers are unlikely to learn about these security features until it is too late. The letter from Congress, signed by U.S. Senators Ron Wyden (OR), Sherrod Brown (OH) and Edward Markey (MA), and U.S. Representatives Ted Lieu (CA), Anna Eshoo (CA) and Yvette Clarke (NY), urges rulemaking by the FCC to protect consumers from SIM swapping, port outs and other similar methods of account fraud.
The letter further requests the FCC provide answers to several questions about tracking of reported mobile authentication fraud incidents, the fit of existing number porting and anti-slamming rules with the current and anticipated capabilities of cyber-attackers, awareness and education campaigns to curb mobile authentication fraud, and existing FCC rules that may restrict network operators from reporting SIM swapping violations to law enforcement agencies.