We’ve all been spammed by robocalls and faced the threat of SIM swap attacks for years, and now the FCC is finally planning to do something about it.
The three major U.S. carriers implemented STIR/SHAKEN authentication across their networks in June in an effort to cut down on incredibly annoying spam calls. This week the FCC proposed two new rules to combat the never-ending spam call scourge, along with new proposals to protect against SIM swaps and port-out attacks.
The FCC announced starting Sept. 28, carriers and voice service providers who have not implemented STIR/SHAKEN or filed certifications with the FCC’s Robocall Mitigation Database will be blocked from domestic phone networks. For carriers who haven’t been able to implement STIR/SHAKEN, certifying data with the FCC’s Robocall database should further eliminate the use of fake numbers to spam people’s phones.
“The FCC is using every tool we can to combat malicious robocalls and spoofing — from substantial fines on bad actors to policy changes to technical innovations like STIR/SHAKEN,” Acting FCC chairwoman Jessica Rosenworcel said in a statement. “Today’s deadline establishes a very powerful tool for blocking unlawful robocalls.”
Additionally, to help prevent robocalls from overwhelming 911 call centres, the FCC also adopted another set of rules that require carriers and voice service providers to block all calls made to 911 call centres from numbers listed on the Public Safety Answering Points’ (PSAP) Do-Not-Call Registry.
The FCC also proposed new rules to help prevent SIM swaps and port-out fraud. Hackers have started using SIM swap attacks, in which they convince a carrier to swap their target’s wireless service to a phone the hacker controls. This allows the hacker to receive any two-factor authentication verification codes that might get sent to the victim’s number, potentially allowing the hacker to gain access to the victim’s online accounts. A port-out fraud occurs when a hacker is able to trick a carrier into switching someone’s service to an entirely new provider, once again allowing the hacker to gain access to the victim’s 2FA verification codes.
To help cut down on the number of these attacks, the FCC is proposing new rules that could require carriers to better authenticate a person’s identity before transferring someone’s number to a new device or service provider. Additionally, the FCC wants carriers to properly notify customers anytime a service change or SIM change is requested, hopefully giving people a chance to confirm the request or respond to a potential attack.
But even with the FCC’s new proposals, it’s important to remember that whenever possible, you should try to use an authenticator app like Authy or the Google Authenticator, or a hardware-based security key instead of your phone number for 2FA, as your phone number is one of the least secure 2FA methods.
That said, not every app or account supports authenticator apps or security keys, so here’s hoping the FCC’s proposed rules can help.