When the FCC adopted its SIM Swap and Port-Out Fraud rules in November 2023 (FCC 23-95, amending 47 CFR Part 64), it confronted one of the most lucrative attack vectors in modern cybercrime. SIM swap fraud — where attackers trick or bribe a carrier representative into porting a victim's number onto an attacker-controlled device — has emptied bank accounts, drained cryptocurrency wallets, and bypassed SMS-based two-factor authentication for hundreds of thousands of Americans. As the rules continue their phased compliance and enforcement rollout through 2026, against the backdrop of ongoing 'Scattered Spider' intrusions and the AT&T/Snowflake-era credential breaches, it is worth pausing to appreciate what the Commission did not do — and why that restraint matters.
The targeted fix: authentication at the point of change
The Commission's rules require wireless providers to use secure methods of authenticating a customer before effecting a SIM change or number port, and to immediately notify the customer when such a request is made. Carriers must maintain records of SIM change and port-out requests, train employees, and offer customers the ability to lock their accounts against port-out requests. The architecture is straightforward: the regulated event is the change, not the original purchase.
That distinction is everything. The rule treats the SIM as a security credential that needs robust step-up authentication when it moves, in the same way a bank treats a wire transfer differently from a deposit. It does not treat the SIM itself as a national identity token that the government must enroll, verify, and bind to a citizen file at the point of sale.
The road not taken: mandatory SIM-to-ID binding
Compare this with the regimes that the United States explicitly declined to copy. Pakistan's PTA biometrically verifies every SIM against the NADRA national identity database, with thumbprints captured at the point of activation and caps on how many SIMs a single CNIC can hold. India ties each SIM to an Aadhaar number or alternative officially valid document under DoT KYC rules, and has expanded reverification campaigns to flush out 'fake' connections. China's real-name registration regime, dating to a 2013 MIIT order and tightened repeatedly since, mandates that no SIM be sold without verified ID, and that registration data sync with public security databases.
These systems share a common architecture and a common pathology: every prepaid SIM is a tracked, identifiable handle on a person. They reduce some categories of anonymous abuse but at the cost of building a permanent infrastructure for population-scale surveillance, locking out the unbanked and undocumented from basic connectivity, and creating massive honeypots of identity data — as Pakistan and India have both learned through repeated breaches.
Why the FCC's design is better policy
The case for the American approach rests on three observations:
- The threat model is the swap, not the sale. Scattered Spider, the criminal cluster behind a string of 2023–2025 intrusions at MGM, Caesars, and reportedly several telecoms and SaaS providers, does not generally need to acquire fresh SIMs in fake names. It targets carrier and call-center insiders — through social engineering, bribery, or compromised support tools — to move existing legitimate numbers onto attacker SIMs. Mandatory ID at point of purchase does nothing to defeat that.
- Identity-binding fails open. The 2024 AT&T breach disclosed via the Snowflake-related intrusion exposed call and text metadata for nearly all of AT&T's wireless customers — over 100 million people. If America had spent the prior decade building a SIM-to-Social-Security-Number registry, that same breach class would have produced an identity catastrophe instead of a metadata catastrophe.
- Anonymous and pseudonymous communication is a feature, not a bug. Domestic violence victims, journalists, dissidents from abroad, and ordinary Americans who simply want to compartmentalize their digital life all benefit from the ability to acquire prepaid SIMs without producing government ID. That latitude has been a quiet First Amendment dividend for decades.
Enforcement is doing real work
The substance of FCC 23-95 is now being tested. The FCC's Privacy and Data Protection Task Force, established in 2023, has signaled active oversight of carrier compliance, and the rules have featured in enforcement and consent decree activity related to legacy CPNI failures. Industry-wide adoption of customer-set port-out PINs, account locks, and notification flows has measurably risen since 2024. None of this required a national ID database.
What proportionate next steps look like
The right marginal moves are technical and procedural, not architectural:
- Continue migrating high-value services off SMS-based 2FA toward passkeys, FIDO2 authenticators, and app-based push approvals — work that NIST has been nudging since SP 800-63B was first revised in 2017.
- Press carriers to harden insider-access controls, given that the human factor at retail and call-center tiers remains the primary failure mode.
- Standardize cross-carrier port-out fraud signaling so that suspicious port histories follow the number, not just the originating carrier.
- Resist proposals — periodically floated after high-profile incidents — to add federal ID-at-purchase mandates. The marginal security benefit is small; the civil liberties and breach-blast-radius costs are large and irreversible.
The American bet
FCC 23-95 reflects a distinctly American regulatory instinct: fix the specific failure mode, leave the open infrastructure alone. It is a reminder that good cybersecurity policy does not require turning every endpoint into an identity checkpoint. As the rules complete their rollout, the lesson worth exporting is not the rule text itself but the underlying judgment — that authentication, not enrollment, is the lever the state should be pulling.