21 July 2023
In a recent announcement, the US FCC has introduced new rules that will require wireless providers to adopt secure methods of authenticating their customers.
“The proposed Report and Order would revise the FCC’s Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. It would also require wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts, and take additional steps to protect customers from SIM swap and port-out fraud.”
What struck me about this is why the wireless carriers don’t already have these methods and more in place? Why does it need to be regulated and enforced?
What’s at stake you ask? SIM swapping, Port-outs, etc. But is it a big deal if your phone is ported out by a bad actor. In my opinion, yes, yes, and emphatically yes.
The issue is that in recent years, despite many security folks sounding the alarm, cell phones have become confused with security devices. Have you ever had your bank ask for you to receive a code on your phone to authenticate that it is really you? If so, then you would be concerned if your wireless carrier ports out your number and somebody else can now try to convince your bank that they are you.
Here’s a European approach to the SIM Swapping problem https://www.enisa.europa.eu/news/enisa-news/beware-of-the-sim-swapping-fraud Their statistics make it seem a low occurrence and they offer some useful background and information on the problems as does the previous link from the FCC.
Stay safe.