The Federal Communications Commission has unveiled its first set of proposed cybersecurity guidelines from the Biden administration.
The FCC proposes to solve a severe problem known as SIM swapping, a frequent kind of digital identity theft that is nearly impossible to prevent.
“Unfortunately, this is a case where government regulation is required,” says Allison Nixon, chief research officer of cyber intelligence firm Unit221B.
“Private enterprises have failed to deal with this problem on their own.”
In 2019, Twitter CEO Jack Dorsey was infamously SIM swapped. Both AT&T and T-Mobile were hit with lawsuits accusing them of failing to protect their customers from such an attack.
One bitcoin investor even filed a lawsuit against a high school senior for allegedly taking $23.8 million in cryptocurrencies via SIM swap.
Here’s everything you need to know about this growing trend in hacking, as well as what the FCC is doing to combat it.
WHAT IS SIM SWAPPING?
According to Nixon, SIM swapping is a sort of fraud in which criminals take over your phone number and use it to verify accounts that you own.
If you have two-factor authentication enabled, you will normally receive a verification code on your phone to access your accounts.
Most hackers will SIM swap since it is a simple technique to gain access to people’s email and bank accounts once they have their phone number.
For example, if you’ve ever logged into an account and then received a confirmation code through text message to your phone, you’ve had your account hacked.
“In the previous year, SIM swapping assaults have increased drastically in several nations, not only in the United States but also in Canada and Europe,” says Benjamin Fung, a lecturer at McGill University’s School of Information Studies.
He claims that the approach has spawned a slew of imitators because the attack requires little effort or technical expertise and can result in profitable access to bank account logins.
HOW DOES IT WORK?
Hackers can accomplish this in a variety of ways. A hacker can impersonate you and call your cell phone provider,
claiming to have received a new phone, and then requesting that the number be switched to their phone.
They can also call a rival carrier and request that their number be transferred to a new AT&T phone, for example, if they want to switch from Verizon to AT&T.
Another way involves installing malware on a carrier’s network and then utilizing the virus to control employee accounts so that they can simply force the changes they want through.
They can also bribe, extort, or blackmail phone company employees to gain access to the numbers they desire.
“All the victim will notice is that their cell phone stops receiving service,” Nixon explains, “since the provider is now providing service to a different phone.”
“It’ll appear as if you didn’t pay your bill and we’re disconnected.” The victim will then have to wait for their passwords to be changed on all of their accounts until they are locked out of all of them, if not all of them.
WHAT ARE THE BEST WAYS FOR PEOPLE TO PROTECT THEMSELVES?
There is very little that individuals can do to defend themselves. “The issue is that people’s ability to identify themselves on the internet is broken,” Nixon argues.
“You as a human are nothing more than your phone to a website.” Someone else is effectively you if they can steal your phone number.”
Nixon, who has worked with people who have had their SIM cards swapped for years, says she’s encountered cases where the fraudster was better at demonstrating their stolen digital identity than the victim was at verifying their own identity.
Her victims were frequently folks who followed all of the recommended digital precautions but were nevertheless locked out of their accounts permanently.
“We constructed the internet on a foundation that has some fractures in it, and the foundation itself needs to be restored,” she argues.
Nixon informs her high-end clients that they should presume the phone system is hacked and that any two-factor authentication that requires a phone number for verification is questionable.
It’s safe to log in using a Yubikey, a physical key that requires you to click a button,
or with an authenticator software like Authy, which generates a number you enter or a barcode to scan.
WHY ARE THE PHONE COMPANIES FAILING TO CORRECT THIS?
If you walk into a phone store with $1,000 and tell them you forgot your password but want to buy a phone,
Nixon believes the phone company will most likely figure out a method for you to get into your account since they want your business.
That is a mindset that is incompatible with account security.
“The issue is that these accounts are so easy to take over,” Nixon explains, “since these phone providers want to sell phones and service contracts.”
“It would be more difficult for the regular consumer to get a phone if these firms secured these accounts.”
Fixing the issue would include making client accounts more secure, which would increase the cost of subscriber acquisition for phone providers.
“It’s not going to get repaired unless the government forces firms to fix it,” Nixon argues.
WHAT IS THE FCC DOING ABOUT IT?
Before transferring a person’s number to a new phone, the FCC’s proposed regulations will require phone companies to verify their identification.
People can confirm their identification by providing a pre-set password or by receiving a one-time password via text message, email, or phone call.
If a SIM change request is submitted on a person’s account, the carrier must tell them right away.
Right now, that change happens in an instant, with no warning and no chance for anyone to oppose or reverse it.
If clients can’t authenticate their accounts using these ways, providers won’t be able to SIM exchange phones.
Customers’ accounts will also have to have a “port-freeze” option that prevents SIM changing.
“A significant proportion of SIM switch cases will be eliminated,” says Fung.
“It’s unclear whether this action would fully eliminate this form of cyberattack, but it’s better than nothing.”
Despite US Telecom’s complaints regarding other sections of the FCC proposal,
phone companies have yet to express their concern with these additional restrictions.
“Everyone agrees that SIM swappers are a waste of time,” Nixon says. “Perhaps some lobbying group will try to defeat this proposal because it will raise provider fees.”
But, guess what? Right now, the victims are paying a price. No one is advocating for them.”