Your phone number is about to get more secure, and you don’t even have to do anything to make it happen. The Federal Communications Commission (FCC) has issued new directives for cell carriers that will force them to take SIM swapping and port-out attacks seriously. Carriers will now have to use secure authentication when making changes to a subscriber’s phone number.
The FCC announced the rules in July as part of an update to the Customer Proprietary Network Information (CPNI) and Local Number Portability policy. The rules have now been adopted by the commission. “We require wireless carriers to give subscribers more control over their accounts and provide notice to consumers whenever there is a SIM transfer request, in order to protect against fraudulent requests made by bad actors,” FCC Chairwoman Jessica Rosenworcel (below, center) said in a statement.
Phone numbers were never designed to be a component of our online security, and yet, that’s what they’ve become. Numerous services and banks send two-factor login codes as text messages, making phone numbers a target for online criminals. The FCC doesn’t specify what security measures carriers should take. They could require a PIN or passcode to make SIM changes, which is already an option for most carriers. The carrier might also require customers to make SIM changes in physical stores where an employee can verify identification.
In SIM swap attacks, a third-party gets a person’s phone number transferred to a device they control, giving them access to calls and messages. Port-out fraud is more extreme, moving the victim’s number to another service provider. This attack is much harder to fix, but it has the same effect of giving the fraudster access to messages and calls sent to the number.
Losing access to your phone number can lead to account hijacking, loss of data, and a drained crypto wallet if you’ve got one tied to your phone number. The FCC says it has seen a marked increase in the number of SIM swap attack reports. The FBI also says this type of crime is on the rise. The new rules also require companies to notify subscribers immediately when there is a SIM transfer request, potentially giving victims time to head off the worst effects of a SIM swap attack.
This is a positive development for your online security, but it won’t completely solve the problem. Some SIM swap attacks are perpetrated by carrier employees, and they can simply ignore the authentication rules in service of their own criminal activity. If you have any choice in the matter, set two-factor codes to use an authenticator app like Google Authenticator or Authy to take your phone number out of the equation.