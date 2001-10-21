from the why-we-can't-have-nice-things dept.
The U.S. Federal Communications Commission (FCC) is asking for feedback on new proposed rules to crack down on SIM swapping and number port-out fraud, increasingly prevalent scams in which identity thieves hijack a target's mobile phone number and use that to wrest control over the victim's online identity.
In a long-overdue notice issued Sept. 30, the FCC said it plans to move quickly on requiring the mobile companies to adopt more secure methods of authenticating customers before redirecting their phone number to a new device or carrier.
"We have received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud," the FCC wrote. "Because of the serious harms associated with SIM swap fraud, we believe that a speedy implementation is appropriate."
The FCC said the proposal was in response to a flood of complaints to the agency and the U.S. Federal Trade Commission (FTC) about fraudulent SIM swapping and number port-out fraud. SIM swapping happens when the fraudsters trick or bribe an employee at a mobile phone store into transferring control of a target's phone number to a device they control.
(Score: 0) by Anonymous Coward on Friday October 01, @08:16PM (1 child)
Whereas if it was just password the attacker needs my password.
(Score: 2) by DannyB on Friday October 01, @08:33PM
A way 2 factor could be stronger.
Suppose in addition to your password, you also needed to know a PIN.
When the on screen prompt tells you to expect a phone call to verify, it would also tell you to enter your PIN into the phone when you answer.
Now even if the attacker had control of your phone number and would receive they call, they would still need to know the PIN.
Of course, the problem is users who may lose their password might also lose their PIN.
Another way to do 2 factor is not to tie it to a phone number, but to an app on a specific phone. (When you get a new phone, you would re-install the app, and associate the new app with your account.)
Now even if the attacker has your number, he probably doesn't have your actual device. And even if he had your device, that 2FA app would require the device to verify your fingerprint or face or something.
(Score: 2) by Runaway1956 on Friday October 01, @08:30PM
If my phone company gives away my credentials, the phone company pays me $50,000 plus damages, and they pay a $100,000 fine. End of problem. No phone company will engage in further risky business.
