FCC Reminds US Mobile Carriers That Customer Data Needs To Be Protected

The US Federal Communications Commission (FCC) is reminding telcos of their obligations to keep consumers safe from SIM swapping and port-out scams.

SIM swapping and port-out fraud are schemes designed to allow criminals to gain control of customer accounts without needing to get their hands on a physical device. In SIM swapping, a baddie persuades a carrier to transfer a victim's mobile service to their account. In port-out fraud, a criminal poses as the victim and opens an account with a different provider. They then arrange for the victim's phone number to be transferred – or "ported out."

The warning comes in the wake of the Department of Homeland Security's Cyber Safety Review Board report. It highlights the need and requirement for mobile service providers to protect customers from attempts to commandeer their accounts.

Mobile phones are becoming ever more important in the lives of users and are often used as a means to verify identity through services such as multi-factor authentication.

However, the convenience of requesting something like a one-time passcode through SMS and voice calls has attracted the attention of criminals, who can intercept authentication texts through fraudulent SIM swapping schemes.

The Department of Homeland Security's Cyber Safety Review Board put out a report in August detailing how groups such as Lapsus$ carry out their attack. The FCC has followed this by gently reminding telcos via an Enforcement Advisory that under the Communications Act they have a duty to protect the confidentiality of proprietary information of customers.

• FCC probes rise of AI robocall armies
• Washington plans overhaul of wireless spectrum allocation
• Musk's broadband satellite kingdom Starlink now cash flow positive – or so he claims
• FCC throws an $18B bone to rural broadband

The FCC must now advise customers of the risks and ensure that the carriers understand their responsibilities.

The advisory reads: "A telecommunications carrier's failure to reasonably protect customer information, including through allowing fraudulent SIM swap schemes, can independently violate the Act and Commission rules. These failures may result in monetary forfeiture, additional reporting obligations, and/or other administrative remedies."

In the advisory, the FCC warns carriers that proper authentication is required before they hand over access, and the customer must be notified immediately of any changes to, for example, a password or account.

The FCC has been getting more serious about Customer Proprietary Network Information (CPNI) in recent months. In July 2023, a $20 million fine was proposed against Q Line Wireless and Hello Mobile Telecom for apparently failing to protect the privacy and security of subscribers' CPNI.

At issue was the reliance on "readily available biographical information and account information to control online access to CPNI." ®