Congress Urges FCC Action on SIM Swapping Scams

Congress implored the Federal Communications Commission (FCC) on January 9 to act on SIM swapping scams. SIM swapping is “a particularly invasive form of fraud that involves tricking a target’s mobile carrier into transferring someone’s wireless service to a device they control.” While the FCC has not taken direct action to prevent this type of scam, Congress has sent a letter to the FCC inquiring as to the agency’s plans to “track and combat” SIM swapping.

KrebsOnSecurity reported that “SIM swapping is an insidious form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. All too frequently, the scam involves bribing or tricking employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.” This allows malicious actors to defeat a service’s two-factor authentication requirement.  The actor could log into a service (using previously collected information), triggering a verification code text message to be sent to the actor’s device, allowing access. This technique can be used to steal someone’s identity, empty their accounts, or view confidential information.

In their letter, lawmakers asked the FCC “to require wireless carriers to protect consumers from fraud and the theft of their most sensitive personal data by criminals and foreign governments who can empty their bank accounts, read their personal email and access their private photos and documents.” The letter notes that because of the wide use of two-factor authentication, SIM swapping is particularly dangerous.

Other countries, including South Africa, Kenya, Nigeria, Australia, and the United Kingdom, have taken measures to flag potential SIM swapping. Mobile carriers share information about the most recent SIM swap date of a customer with banks to identify potentially suspicious activity. Carriers may also enact policies in the United States and in other countries that can protect consumers from SIM swaps by adding security measures to an account, preventing a SIM swap unless done so in a store with valid identification. However, these added security measures are not always clearly implemented.

SIM swappers often steal cryptocurrencies from consumers. One scammer, Nicholas Truglia, a 22-year-old alleged to have stolen $24 million in cryptocurrency from blockchain investor Michael Terpin, was indicted in New York last month.  In October, Terpin sent a letter to FCC Chairman Ajit Pai, asking for regulation to secure consumer’s phones against SIM swapping. Terpin later told KrebsOnSecurity that “[i]t took them a long time to get around to taking robocalls seriously, but those scams rarely cost people millions of dollars. Imagine going into a bank and you don’t remember your PIN and the teller says, ‘Oh, that’s okay I can look it up for you.’ The fact that a $9-an-hour mobile store employee can see your high security password or PIN is shocking.”

“The carriers should also have to inform every single current and future customer that there is this high security option available,” Terpin continued. “That would stop a lot of this fraud and would take away the ability of these ne’er-do-well 19-year-old store employees who get bribed into helping out with the scam.”

The letter penned by Congress was signed by Sens. Ron Wyden (D-Ore.), Sherrod Brown (D-Ohio) and Edward Markey (D-Mass.), and Reps. Ted Lieu (D-Calif.), Anna Eshoo (D-Calif.) and Yvette Clarke (D-N.Y.).

The President recently signed an anti-robocalling bill into a law to combat a different form of scamming.