“CAN I GET YOUR DIGITS?”: ILLEGAL ACQUISITION OF WIRELESS PHONE NUMBERS FOR SIM-SWAP ATTACKS AND WIRELESS PROVIDER LIABILITY

Andrews, Nathanael | November 1, 2018

In a SIM-swap attack, a hacker uses text messages sent to a wireless customer’s phone number to reset passwords and access critical accounts. These SIM-swap attacks are often targeted at cryptocurrency (e.g., bitcoin) holders and can result in thousands or even millions of dollars in losses. Wireless providers are often the weakest point exploited by hackers in SIM-swap attacks. These hacks are even more insidious because they rely primarily on social vulnerabilities rather than technical skill: hackers pressure accommodating customer service agents or bribe wireless provider employees in order to gain control of a wireless providers account and phone number. The wireless account and phone number provide a gateway to all the wireless customer’s digital accounts through password reset codes sent to the victim’s phone number, which is controlled by the hacker. Yet, wireless providers have failed to protect this gateway. Experience has shown that it is surprisingly too easy for a hacker to gain control of a wireless customer’s phone number. This note argues that wireless providers should be liable for negligence according to a reasonableness standard of care. Such a standard would motivate them to do more to protect wireless customers. Wireless customers are being harmed by hackers. Wireless providers are positioned to prevent that harm by blocking unauthorized control of customer phone numbers. This note provides background on the SIM-swap attack, addresses policy arguments supporting the liability of wireless providers, examines how liability of wireless providers can be found under statutory federal law, and argues that common law negligence is the most appropriate route to wireless provider liability. The policy-based arguments address victims with a pressing need for remedy, wireless providers as the least cost avoider, and wireless providers as the most competent avoider. The law-based arguments address the roles of the FCC and the FTC in SIM-swap attacks and distinguish developments in negligence common law liability for general data breaches. In short, this note argues that SIM-swap attacks give rise to important harms, wireless providers should be liable for those harms, and negligence with a reasonableness standard of care is the right standard for liability.