US Lawmakers Pressure Regulator about SIM Swaps

US Federal Communications Commission Chairman Ajit Pai has been sent a letter by six Democrat members of Congress asking about the action being taken to prevent SIM swaps. The letter asks the regulator a series of questions, mostly relating to the information currently collected about SIM swaps, and what intelligence businesses would be permitted to share. The lead signatory is Senator Ron Wyden (pictured), who is especially active in seeking enhanced privacy and security for phone users, having previously lambasted telcos for sharing location data. The lawmakers begin by identifying the reason why phones are used as a gateway to take over other user accounts:

Consumers are regularly advised by companies, government agencies and experts to secure their critical online services using two-factor authentication. These services often use text messages (SMS) as their second factor.

This is true, but it also begs a question. The FBI already advises businesses to seek alternatives to SMS as a second factor, so why focus on securing phones instead of persuading everyone to stop relying on a messaging service that was never designed to be secure? Nevertheless, Wyden and his colleagues insisted that consumers ‘have no choice’ but to depend on telcos to protect them.

According to the Federal Trade Commission, the number of complaints about SIM swaps has increased dramatically, from 215 in 2016 to 728 through November 2019…

That is a large relative increase. But it hardly sounds like an epidemic of crime for a country that has over 250mn phone users. So to strengthen their argument, the lawmakers assert:

…consumer complaints usually only reflect a small fraction of the actual number of incidents.

Press reports about the letter largely repeated the lawmakers’ concern that large amounts have been stolen, but neglected to mention the small number who have fallen victim to SIM swap crime. Wyden and his colleagues repeated a quote from the Wall Street Journal asserting that 3,000 victims have collectively lost USD70mn. The mean average SIM swap crime is hence worth over USD23,000, which should be making people question why the solution to SIM swap crime depends on adding extra security to several hundred million phone accounts, instead of focusing on the security of bank and cryptocurrency accounts held by a much smaller number of wealthy people.

SIM swap fraud may also endanger national security. For example, if a cyber criminal or foreign government uses a SIM swap to hack into the email account of a local public safety official, they could then leverage that access to issue emergency alerts…

Excuse me? Email is even less secure than SMS messaging. If a bad actor would be able to endanger national security by intercepting the emails of a minor safety official, then the solution is to stop sending sensitive messages by email!

Countless other U.S. government websites used by millions of Americans either allow password resets via email or support two-factor authentication by SMS, which can both be exploited by hackers using SIM swaps.

There is an obvious riposte to the concern expressed by these lawmakers. If the US government is so vulnerable to SIM swaps, why not simply redesign government systems to avoid this vulnerability, just like the FBI advises?

The letter more reasonably observes that other countries have implemented controls that might be replicated in the US, such as telcos notifying banks of a recent change of SIM. The control environment is described as ‘spotty’, which is probably a fair description of the current state of affairs in the USA, but legislators should avoid exaggerating how comprehensive controls are in other countries. The US could take a sensible lead by mandating that all telcos provide an API which informs other businesses about whether a user has changed their SIM. Unfortunately, the authors of the letter ask a wide variety of questions instead of focusing attention on the merits of this specific improvement.

You can obtain the full text of the letter at Senator Wyden’s website.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.