Democrats in the U.S. Congress are demanding the Federal Communications Commission (FCC) takes action to tackle the rise in SIM swapping attacks.
Responding to the groundswell of reported SIM swap heists, senators Ron Wyden (Ore.), Sherrod Brown (Ohio) and Ed Markey (Mass.) and representatives Ted Lieu (Calif.), Anna Eshoo (Calif.) and Yvette Clarke (N.Y.) sent FCC Chairman Ajit Pai a letter Thursday urging him to do more to hold cell carriers accountable for the low-cost but often highly lucrative crime.
Cybersecurity blog KrebsOnSecurity first reported the letter.
SIM-swapping is the act of remotely accessing a target’s cellular identity, essentially co-opting the associated phone number for nefarious purposes. There’s any number of ways to swap a SIM; in some cases, hackers even bribe or exploit cell carrier employees.
Once the number is taken over, the fraudster can reset victims’ passwords, steal credentials and wipe personal information, bypassing most security mechanisms that rely on cellular two-factor authentication. That can be costly, especially for a crypto community still largely reliant on text-based account security. To date, millions of dollars in crypto have been stolen in alleged SIM swap attacks.
The lawmakers’ chief concern appears to be America’s lack of comprehensive consumer protection policies. They note that some jurisdictions require prevention methods, like in-store verification, while others lag behind.
“Implementation of these additional security measures by wireless carriers in the U.S. is still spotty and consumers are unlikely to find out about the availability of these obscure, optional security features until it is too late,” the lawmakers wrote.
They also demanded to know more about how the FCC tracks SIM swap reports, if it has been educating the public on prevention and if it has investigated such hacks in the past.
One of the most public victims of an attack was crypto investor and communications executive Michael Terpin, who lost over $20 million to SIM-swappers in 2018. He sued his cell provider, AT&T, for failing to protect him, alleging the company was responsible for its employees who allegedly worked with the fraudsters.
Last month, prosecutors unsealed an indictment against Nicholas Truglia, who is suspected of orchestrating the Terpin heist.