Legal Matters

FCC Proposes Rules Targeting SIM Swapping and Port-Out Fraud

The Federal Communications Commission (FCC) is currently seeking feedback on proposed regulations to prevent SIM swapping and port-out fraud. These scams allow criminals to take over a victim’s mobile phone number and even hijack their online identity. 

According to the FCC, SIM (subscriber identity module) swapping takes place when a bad guy tricks a victim’s wireless carrier into transferring the victim’s service from the victim’s cell phone to a cell phone in the bad guy’s possession.    

Port-out fraud is similar, but involves the bad guy opening an account with a carrier other than the victim’s current carrier.  The criminal then arranges for the victim’s phone number to be transferred (or “ported out”) to the account with the new carrier controlled by the criminal. You can learn more about both SIM swapping and port-out fraud at: https://go.usa.gov/xMNUF.  

The FCC has received numerous complaints from consumers about these frauds and has proposed rules to make it more difficult for criminals to perpetrate these crimes. They are currently seeking comments on these new rules.

Traditionally, wireless carriers have required someone seeking to port a number to verify their identity using customer data that (due to data breaches) may be easily available, such as date of birth and Social Security Number. Additionally, many times victims are completely unaware of the crime until well after the fact. The proposed rules would prohibit allowing a SIM swap unless the carrier uses a secure method of authenticating their customers’ ID. The FCC proposes that carriers be required to verify a “pre-established password” with customers before making any changes to their accounts. Examples of pre-established passwords include:

  • a one-time passcode sent via text message to the account phone number or a pre-registered backup number,
  • a one-time passcode sent via email to the email address associated with the account,
  • a passcode sent using a voice call to the account phone number or pre-registered back-up telephone number.

The commission said it was also considering updating its rules to require wireless carriers to develop procedures for responding to failed authentication attempts and to notify customers immediately of any requests for SIM changes.

The FCC said some of the consumer complaints it has received “describe wireless carrier customer service representatives and store employees who do not know how to address instances of fraudulent SIM swaps or port-outs, resulting in customers spending many hours on the phone and at retail stores trying to get resolution. Other consumers complain that their wireless carriers have refused to provide them with documentation related to the fraudulent SIM swaps, making it difficult for them to pursue claims with their financial institutions or law enforcement.”

“Several consumer complaints filed with the Commission allege that the wireless carrier’s store employees are involved in the fraud, or that carriers completed SIM swaps despite the customer having previously set a PIN or password on the account,” the commission continued.

The proposed regulations are expected to address the above issues.