To combat the growing robocalls and SIM Swapping attacks, US FCC has listed new plans, including the detailed verification of users and implementing STIR/SHAKEN protocol.
As per the regulatory authority, these new rules for mobile carriers and intermediaries should make processing spam easy and thwart robocalls and SIM swapping attacks. Larger mobile carriers have already implemented most of the rules, with smaller companies doing the same.
FCC Rules Against SIM Swapping
To the unknown, SIM swapping is a social engineering technique where an attacker tries to fool the victim’s mobile carrier and makes them transfer the number to a SIM which they’re possessing.
This will let the attackers receive all OTPs and other authentication codes of the victim and hack all related accounts. Thus, to avoid this, FCC is amending the Customer Proprietary Network Information (CPNI) and Local Number Portability rules to make mobile carriers verify the customer before reassigning the phone number to a new SIM card.
Further, it requires the mobile carriers to notify actual customers before reassigning the number to a new SIM card or a porting. The new rules also aim to address the port-out scam, where an attacker tried to port the victim’s phone number to a new carrier.
Aside from SIM swapping, the rules will thwart robocalls effectively by forcing mobile carriers to implement STIR/SHAKEN protocol. Under this, they have to maintain a Robocall Mitigation Database, which the devices will verify before processing the call.
So if a potential number were tagged spam, it would display as the same in caller ID on the receiver’s phone while ringing. FCC said any mobile carrier not following the rules will be banned from using the support of other carriers in the industry, thus not able to process their calls.
And it seems to be working, as over 4,798 companies have submitted to Robocall Mitigation Database, including the most prominent mobile carriers in the US.