I have a letter from T-mobile where they state that the only piece of identifying information that anyone needed to authenticate as me and port my number to another sim card was the last 4 digits of my SSN. The laws that regulate how telecommunications carriers use CPNI (Customer Proprietary Network Information) also regulate the information that they must use to verify an identity.

In legislation adopted by the FCC in March 13, 2007 in FCC 07–22 the FCC clearly mandated that telecommunications providers need to better protect CPNI data by stating that

“The record reflects that pretexters use evolving methods to trick employees at customer service call centers into releasing call detail information. This release of call detail through customer initiated telephone contact presents heightened privacy concerns because of pretexters’ abilities to circumvent carrier authentication requirements and gain immediate access to call detail. By restricting the ways in which carriers release call detail in response to customer-initiated telephone calls, we place at most a minimal inconvenience on carriers and consumers.”

But mobile phone providers have failed to heed the FCC’s warnings concerning pretexting. They could have chosen to apply stronger security policies which mandate that customers phone numbers are only allowed to be ported when customers can furnish appropriate IDs to employees within a providers business storefront.

Furthermore hackers have openly testified that only Verizon and T-mobile customers were vulnerable to pretexting because AT&T call center software policies would lock an account from changes after multiple attempts of someone calling in as the account holder were logged in the system.

Pretexting REQUIRES multiple attempts because you must find a call center employee who will not follow protocols when transferring a number to a new sim card. So a simple change in policies and procedures are what was really needed to protect customers.

As far as the law is concerned Telecommunication companies have no grounds for legal defense when a sim swap attack occurs. The fact that you feel otherwise is not consistent with guidelines outlined by the FCC. To better educate yourself please see:

Written by

Incentives architect for TandaPay

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store