EPIC Urges FCC to Go Further on SIM Swapping; Industry Disagrees
Groups representing wireless carriers and cable operators urged the FCC to take a cautious approach as it responds to a November Further NPRM on protecting consumers from SIM swapping and port-out fraud (see 2311150042). Additional rules beyond those approved in an accompanying order aren’t warranted, industry groups said. However, the Electronic Privacy Information Center urged the agency to go further in protecting consumers. Comments were posted on Wednesday and Thursday in docket 21-341.
The FCC should harmonize its customer proprietary network information (CPNI) and SIM swap rules and take other actions that limit consumer risks, EPIC said. For example, the commission should require stronger authentication measures, regulate carrier responses to fraud, and “articulate explicitly that successful SIM swap fraud indicates a carrier’s violation of Sections 201(b) and 222 of the Communications Act,” EPIC urged. SIM swap fraud “is so pernicious in part because it subverts what is intended to be a security mechanism, turning it into an attack vector” and there are limited mitigation tactics “consumers can undertake on their own,” EPIC said.
CTIA called for “a flexible and risk-based approach to promote security and protect against fraud." Carriers need “flexibility to combat sophisticated and evolving schemes with innovative tools and countermeasures,” the group said. CTIA urged the regulator to harmonize CPNI rules with new “risk-based” SIM swapping rules. Expanding the rules further isn’t warranted, CTIA said. It noted that because of existing safeguards, SIM-swap and port-out fraud occurs in less than 1% of SIM change and port-out requests.
Likewise, the Competitive Carriers Association supported harmonizing CPNI and SIM swap rules. The November order concedes that CPNI rules don’t “reflect up-to-date best practices, making them more vulnerable to fraud,” CCA said. While CCA agrees harmonization “would promote security and ease carrier burden, this should only be the case when the new rule would broaden a carrier’s procedures and allow for greater flexibility.” The FCC shouldn’t require customers to be notified every time there’s a failed authentication attempt, which would be overly burdensome, the group said. Additional customer protection rules aren’t needed at this time, CCA said.
“Flexibility will benefit providers and consumers alike,” NCTA said. Cablers agreed CPNI and the swapping rules should be harmonized.
The Voice on the Net Coalition opposed changes to CPNI rules for its members. There is no evidence "that non-wireless customers are subject to the types of fraud the new rules are intended to address or that the existing CPNI rules are not working,” VON said. Data breach rules commissioners approved last month (see 2312220054) will “require all voice service providers to review and update their data protection practices and likely result in changes that will further secure customer information,” the group said.
The U.S. Chamber of Commerce filed comments on one issue raised in the FNPRM, whether to require wireless carriers to explicitly exclude resolution of SIM change and port-out fraud disputes from arbitration clauses in providers’ agreements with their customers or abrogate such clauses. That rule “would be unlawful because the Commission has no legal authority to regulate arbitration agreements,” the Chamber said: “It would deprive consumers and the public at large of the significant advantages that arbitration provides.”