
Lawmakers Prod FCC to Act on SIM Swapping - mikece
https://krebsonsecurity.com/2020/01/senators-prod-fcc-to-act-on-sim-swapping/
======
mrandish
This seems like it's already a serious and growing problem. It might be best
to take a two-pronged approach of quickly implementing process requirements
that make such swaps harder for crooks while working to come up with a longer-
term technological solution.

It's crazy that a minimum-wage retail mobile store employee is the weak link
in a system that protects almost everyone's financial assets from banking and
investment accounts to credit cards and crypto-currencies.

~~~
throwawayatt
I purchased an unlocked iPhone recently from Apple and decided to swap my AT&T
SIM to the built in eSIM so that I could free the physical slot while
traveling. I walked into an official AT&T store, told the guy what I wanted
and within 10min or so I was on my way out. At no point did he ask me to
verify any info on the account, he didn't ask for an ID, my name, send a
verification text, or even ask for the old SIM. All I gave him was the phone
number I wanted ported to the eSIM, and the corresponding IMEI from my phone.

~~~
ThePowerOfFuet
You might want to rethink being an AT&T customer.

------
AmericanChopper
There’s a lot of opportunity to tighten up controls around sim swapping. But
I’d be cautious about this idea being used to introduce phone number
registration legislation (outlawing burner phones). Legislators have tried and
failed to do this at least two times that I know about. Legislatively, this
could even be achieved indirectly, by creating the correct liability
regulations for service providers.

~~~
im3w1l
Doesn't _creating liability_ typically cause a lot of undesired side effects?
Like poor and marginalized people being unable to swap since they everyone
knows people like that are up to no good.

Seems better to mandate a reasonable process. Like if you have connected your
sim to your identity you prove your identity to swap. And if you have not,
then you can swap by physically presenting the old sim.

~~~
AmericanChopper
Regulating in general causes a lot of unintended side effects, but creating
new liability is certainly one of the more effective ways of generating them.

In this specific case (depending on how cynical you are), you might see such a
side effect as simply a potential unintended consequence, or you might see it
as a potential opportunity for law makers to stealthily pass
legislation/regulation they have previously failed to pass.

There’s no way to say that any changes will even come from this letter at the
moment. But if you think compulsory phone number registration is a bad thing
(and there’s plenty of reasons to be against it), then I’d suggest you pay
attention to how this issue develops, as it would be the perfect opportunity
to sneak it in.

------
closeparen
Instead of trying to shoehorn security into systems that were never meant for
authentication (PSTN, social security), how about building one that’s actually
fit for purpose?

~~~
t34543
It will likely go too far, if something like that ever comes to fruition.

------
deepspace
As others have pointed out, regulating SIM swapping might have unintended side
effects. A better approach may be to pressure internet companies, and
especially email providers, to drop SMS as a method of authentication.

~~~
throwawayatt
SMS is less a means of authentication and more a means of fingerprinting/data
harvesting.

------
rs23296008n1
This isn't actually a tech problem. It is a business process problem. Likely
don't even need to replace much SIM related tech (encryption, authentication)
to do so. Most of it is better procedures and protection from social
engineering and fraud.

Faulty procedures and just plain bad basic security practices. The bar is so
low that if you wrote up and suggested the current system as a plan for some
homework assignment you'd likely fail. Probably get told to rework it and you
might scrape by with a pass.

So there are two aspects: 1) Basic confirmation steps are seen as weakly
performed. 2) Obvious steps are left out. The fact that its a revelation for
them for the need to notify banks that a sim swap occurred is just one
example. Really? No one thought that banks would be interested _at all_? Just
how inexperienced are the people designing these processes? And the swap
itself. Please tell me that mother's maiden[0] name is not used or that they
don't put a lot of faith in using a birthdate as a secret. Details you might
find on Facebook/Google etc should only be used to confirm which Fred Smith's
account is being modified. Not whether it is Fred authorising the change.

This is a great way to see into the underlying technical debt that likely
exists elsewhere in their systems. If they are this sloppy here then other
aspects are likely just as bad.

[0] "Maiden", really, it is the 21st century!

~~~
closeparen
>The fact that its a revelation for them for the need to notify banks that a
sim swap occurred is just one example. Really? No one thought that banks would
be interested at all?

If I lose my phone, I call Verizon to move service over to last year's model
sitting in a drawer somewhere. It'd be _very_ surprising and creepy if Chase
somehow knew about or acted on this change.

> Please tell me that mother's maiden[0] name is not used or that they don't
> put a lot of faith in using a birthdate as a secret.

On that customer service call, I have to give an account PIN. According to
them, if I don't know it I have to come into a retail store with photo ID.
That seems pretty sensible.

But it's not bulletproof. Probably at least one retail store employee would
take a sufficiently large bribe to skip the ID verification step.

~~~
rs23296008n1
Each their own. In general, I'd also like a away of knowing when a SIM swap
attempt occurred. An SMS would be fine.

And I'd like my bank to know when a swap occurred for basic fraud detection.
Don't need them to know necessarily which mobile provider, but I'd appreciate
a way to prevent all my accounts being cleared out the same or next day as a
SIM swap. Even the simple act of the bank being able to know so they can
temporarily raise security requirements for a few days. A way of registering
who to notify on SIM swap would actually be useful.

SIM swaps are only part of the picture. Still have PINs, authenticators, photo
ID etc.

~~~
closeparen
For the cost of that integration, the bank could also just implement 2FA
correctly. U2F, TOTP, even proprietary crap like Symantec VIP are all
inherently resistant to SIM swaps because they keep a secret key on the actual
device; PSTN routing doesn't matter.

