Consumer Electronics Daily was a Warren News publication.
'Pervasive Insecurity'

Wireless Urges SIM Swap Fraud Flexibility; RWA Wants Return of Broadband Privacy Measures

Wireless interests told the FCC any rules aimed at preventing SIM swap and port-out fraud shouldn't make it too difficult for consumers to change wireless carriers, per docket 21-341 comments that were due Monday. Princeton's Center for Information Technology Policy (CITP), citing a study it did of SIM swap safeguards at the five major wireless carriers, said the companies are guilty of "pervasive insecurity." The Rural Wireless Association (RWA) urged reissue of the customer authentication and data encryption measures that were part of 2016's repealed broadband privacy order. The FCC adopted a SIM-swapping/port-out fraud NPRM 4-0 at September's meeting (see 2109300069).

Theft and theft-preventing technologies change quickly, so the problems and fixes aren't static, and rules should give carriers latitude on what tools are used for authenticating and protecting customers, said the Competitive Carriers Association and NCTA. CTIA said the agency should make clear that methods identified as part of secure authentication constitute safe harbors. It said the list of reasonably secure methods should go beyond passwords and passcodes to authentication via government-issued ID, authentication based on analytics, app-based authentication tools or biometric authentication.

The data the agency suggests be used for authentication is often compromised by hackers, so the NPRM should expand to protection of that data, RWA said, It argued the FCC should reissue rules included in the broadband privacy order without running afoul of the Congressional joint resolution of disapproval that rescinded that order (see 1704040059).

The FCC should make clear that carriers can offer customers the ability to lock accounts to prevent unauthorized port transfers and SIM swaps, and carriers can initiate such locks if high-risk activity is identified, said T-Mobile. AT&T said prescriptive approaches like waiting periods or mandatory notifications would make SIM and port-out transactions more frustrating without reduced risk. It said the commission should tap its Communications Security, Reliability, and Interoperability Council, North American Numbering Council or Technical Advisory Committee for input before acting. Verizon sought "a fresh look" at existing customer proprietary network information rules for customer authentication. Customer proprietary network information "may have been state-of-the-art at one time, but security methods have evolved since then and will continue to do so," it said.

Providers that don't safeguard customers' private information should have to pay for the losses suffered by those customers, and any swap should happen in retail stores where identity can be checked if multifactor authentication can't be reliably used, said the National Consumer Law Center and the Electronic Privacy Information Center.

Princeton's CITP said it made 10 prepaid accounts at each of the carriers and then called customer service and tried to do SIM swaps using limited information a scammer might have available. All five used types of customer authentication not generally accepted in information security and with "serious security shortcomings," CITP said. It said any carrier that uses passwords for customer authentication should have to use passwords that are consistent with current best practices and not allow short, guessable ones. It said the FCC also should require carriers to regularly check customer passwords against datasets of widely used and compromised credentials as protection against password guessing attacks.

A variety of digital security companies and advocates pushed for FCC consideration of FIDO authentication. The FCC can't fix the SIM swap fraud problem itself because there are broader digital identity infrastructure gaps that need congressional and White House action, such as a lack of a digital version of government-issued identity paperwork, said the Better Identity Coalition. It said commission reliance on passwords and passcodes could disincentivize stronger tools. With FIDO used by some mobile network operators already, "we are a bit perplexed as to why FCC’s proposal was limited to ... legacy authentication methodologies that are all easily compromised," it said.

Identity verification tech firm Prove urged creation of "a neutral, cross-industry, consumer-managed carrier port and SIM change tool" and said SIM swap information should be readily available for securing transactions across various industries.