FCC Tightens Telco Rules To Combat SIM-Swapping (securityweek.com) 21
An anonymous reader quotes a report from SecurityWeek: Moving to clamp down on the growing scourge of SIM-swapping and port-out fraud, the Federal Communications Commission (FCC) has unveiled new rules mandating telcos to give consumers greater control of their mobile phone accounts. Under the new rules, wireless carriers are required to notify customers of any SIM transfer requests, a measure designed to thwart fraudulent attempts by cybercriminals. The FCC has also revised its customer proprietary network information and local number portability rules, making it more challenging for scammers to access sensitive subscriber information.
The new protective measures (PDF) are meant to address SIM-swapping and port-out attacks widely documented in cybercriminal attacks against businesses and consumers. The attack technique is used to hijack mobile accounts, change and steal passwords, bypass MFA roadblocks and raid bank accounts. Studies have found that major mobile carriers in the US are vulnerable to SIM-swapping with the Federal Bureau of Investigation (FBI) receiving thousands of consumer complaints every year.
The new protective measures (PDF) are meant to address SIM-swapping and port-out attacks widely documented in cybercriminal attacks against businesses and consumers. The attack technique is used to hijack mobile accounts, change and steal passwords, bypass MFA roadblocks and raid bank accounts. Studies have found that major mobile carriers in the US are vulnerable to SIM-swapping with the Federal Bureau of Investigation (FBI) receiving thousands of consumer complaints every year.
Or maybe make SMS 2fa illegal (Score:5, Insightful)
Re: (Score:2)
> landline
damn! you are old.
Re: (Score:3)
You haven't seen the homeless and immigrants happily pecking away at their cell phones?
Cell phones are increasingly a sign of the poor and disadvantaged. I used to stop in to a local Starbucks where the Microsoft bigshots also frequented. I don't think I ever saw Steve Ballmer or Bill Gates talking on cell phones. They were always with with a few friends or co-workers talking in person. Cell phones are a sign of being on a short leash in the corporate hierarchy.
Re: (Score:3)
Can't get a phone plan without a credit card or bank account. Can't get a bank account without a working mobile number. Maybe UOP, Universal Obama Phones, are going to have to happen. Since I doubt industry is going to change their ad hoc security policies.
Re: (Score:2)
It's not exactly a facade, it does actually work pretty well in Europe because for some weird reason our telcos don't fall prone to sim-swapping.
Probably because they're held liable if it happens. Who knew, telcos go the extra mile if it affects their own bottom line.
Re:Or maybe make SMS 2fa illegal (Score:4, Insightful)
Forcing numbers does NOT reduce SPAM.
Not everyone owns a mobile phone. Some people go around with a corporate phone and don't have a need to own their own phone. It's stupid to assume that they use the corporate number as a contact number.
On top of that SMS is insecure. To add SMS 2fa as a security measure is a complete misunderstanding of the meaning of the word security. There are ample examples where security has been compromised by SMS 2fa. You would think by now people would learn.
Re: (Score:2)
I'm on Discord. Discord doesn't have my phone number and I have never received a SMS from discord let alone 2Fa.
Re: (Score:2)
Re:Or maybe make SMS 2fa illegal (Score:5, Insightful)
It's OK if the SMS is just a second factor, in addition to something like a password. The trouble is, too many companies use SMS for account recovery, so it becomes a single factor. Since you can reset the password with just a username and a code received via SMS, it isn't a second factor at all.
Re: (Score:2)
On top of that SMS is insecure. To add SMS 2fa as a security measure is a complete misunderstanding of the meaning of the word security.
You're talking to a society who still can't manage a bank PIN longer than 4 numbers. To assume you could create any solution more complex and have it understood and accepted by society, is a complete misunderstanding of the capabilities of society.
You would think by now people would learn. About people.
Re: (Score:2)
On top of that SMS is insecure. To add SMS 2fa as a security measure is a complete misunderstanding of the meaning of the word security.
You're talking to a society who still can't manage a bank PIN longer than 4 numbers. To assume you could create any solution more complex and have it understood and accepted by society, is a complete misunderstanding of the capabilities of society.
You would think by now people would learn. About people.
The internal combustion engine is more complex than a 4 digit pin and yet everyone in today's society benefits from it.
You would think by now people would learn. About people.
Re: (Score:2)
and it is marketable info that can be shared for better revenue.
Correct answer.
It ensures that you (the recipient) actually exist. And it relieves the senders (spammers) from having to purchase lists of email addresses of dubious quality.
It does _nothing_ to ensure that the sender is legitimate. Because it's too easy to inject SMS into a telecom system from foreign systems or through various types of gateways without any verification that the sender is real.
Were the telecoms able to fix their shitty systems and validate both the sender and recipient as actual valid n
Companies keep using sim 2fa for some reason (Score:1)
Stop linking a mobile number to identity. (Score:3)
It's time we altogether stopped using phone numbers as peoples' digital identities. We've got better, cryptographic, highly-secure solutions now in place that are waiting to replace our dependency on mobile numbers. Someone just needs to make it happen.
Require a videocon (Score:2)
We Need Better Support For TOTP (Score:2)
Required to notify customers (Score:3)
Re: (Score:3)
Don't be silly.
A text message should do.
Deceptive or clickbait title? (Score:1)