United States lawmakers have appealed to the Federal Communications Commission (FCC) to hold telecoms providers to account for failing to protect consumers against SIM swap attacks.
SIM-swapping — alternatively known as a port-out scam — involves the theft of a cell phone number in order to hijack online financial and social media accounts, enabled by the fact that many firms use automated messages or phone calls to handle customer authentication.
On Jan. 9, six Democrats from the U.S. House of Representatives and Senate sent a letter to FCC Chairman Ajit Pai, requesting that the agency impose more robust requirements on mobile carriers to mitigate the risks of such attacks.
“Consumers have no choice but to rely on phone companies to protect them”
The lawmakers’ letter reveals that the number of complaints pertaining to SIM swaps has increased from 215 in 2016 to 728 through November 2019, according to the Federal Trade Commission. They note that consumer complaints usually reflect just a small fraction of the actual number of total incidents.
They further point to a November 2019 Wall Street Journal report claiming that a law-enforcement task force in Santa Clara County had revealed it was aware of over 3,000 SIM swap victims, accounting for $70 million in losses nationwide.
In some cases, as the lawmakers underscore, SIM swaps are successful thanks to corrupt telecoms firm employees. While additional security measures — i.e. requiring customers to show IDs in-store to conduct SIM swaps — have been adopted by some carriers in the U.S. and abroad, their implementation in the states allegedly remains “spotty and consumers are unlikely to find out about the availability of these optional security features until it is too late.”
Aside from risks to consumers, the letter argues that such attacks may endanger national security, noting that “countless […] U.S. government websites used by millions of Americans either allow password resets via email or support two-factor authentication via SMS, which can both be exploited by hackers using SIM swaps.”
The lawmakers posed eight questions to the FCC, among them how many SIM swap incidents it had received, if indeed it had tracked them, as well as inquiries into its coordination with third parties such as banks and its regulations over mobile carriers’ reporting to law enforcement.
Repeated failures
The prevalence of SIM-swapping has brought telecoms firms — gatekeepers of user identity data — under increasing pressure for their alleged complicity in the crime.
AT&T, for example, has faced more than one lawsuit accusing it of repeatedly failing to protect user accounts in violation of the Federal Communications Act.
One plaintiff, tech advisor Seth Shapiro, today accused AT&T of marshaling a “host of red herring whataboutism inquiries” in its December motion to dismiss a lawsuit over its role in indirectly facilitating the theft of over $1.8 million in cryptocurrency from Shapiro’s accounts.
Michael Terpin — another blockchain and crypto investor who filed a SIM-swapping-related lawsuit against AT&T — told CryptoX that the biggest risk to crypto investors “is that major phone companies promise you security and don’t deliver it.”