Like your email address, much of your online life is tied to your phone number, so keeping it secure is vital. And while you might think someone would need your phone to access your number, that’s not the case anymore.
SIM Swapping Explained
SIM swapping, also called simjacking, is a scheme where someone convinces your phone provider to port your number to a SIM card that they own. This results in you losing access to your phone number and provider service, while the attacker gets full access to these on their phone.
To successfully convince the support member from your carrier to swap the SIM, the person committing the fraud has to have information about you. They can gather this from data breaches, like using free tools to check data on the dark web. They might instead trick you into giving the info up via a phishing scam, or even by harvesting your social media profile if you have too much information shared publicly.
Once they have the info, they call the customer support number for your carrier. They deceive the carrier into thinking that they’re you and need help moving your number to a new phone/SIM card. Since the need to do this can be legitimate, like if you lose your phone, the carrier likely won’t need a ton of convincing.
The Dangers of SIM Swapping
You don’t have to look far to see the problems here: someone with your phone number could impersonate you to family and friends, tricking them into sending money to a faker. And since most online services let you recover your account with a phone number, access to your phone number is the key to breaking into other accounts you own.
SIM swapping is particularly destructive because SMS (text message)-based two-factor authentication (2FA) is still prevalent. More services are requiring you to enable 2FA on your accounts, but sometimes the only option is via SMS. If a fraudster successfully swaps your SIM, any additional security you had via SMS 2FA is moot.
Enable This Setting to Stay Safe
Thankfully, phone carriers are aware of this problem, and many now give you tools to fight it. You should first check on your carrier’s website or mobile app to see if there’s an option to disable SIM change requests.
I’ve used Mint Mobile for years, and it thankfully provides a toggle that prevents this problem before it begins. In my case, this is available in the Mint app under Menu > Number Lock or the website under My Profile & Security > Number Lock.
After you enable this toggle, disabling it will send a code to your phone number or email address, which you must use to confirm it’s you. Otherwise, the company won’t port your number while the setting is enabled.
A similar option is available for major carriers; check out the guides below for help:
- Verizon (Number Lock)
- T-Mobile (SIM Protection)
- AT&T (Wireless Account Lock)
If you use another carrier, look for an option with a name similar to these. This option is your best shield against SIM-swapping attacks, because it blocks them from happening at the root.
In case this isn’t available with your carrier, see if there’s an option to enable a PIN or secret phrase on your account. Some companies allow you to set these, which are then required when you call to ask about your account.
Other Ways to Protect From SIM Swapping Attacks
While the carrier option should keep you safe from most attacks that would steal your SIM data, it doesn’t hurt to add extra security. Other methods of protection are also important if your carrier doesn’t offer this option yet.
Don’t Use 2FA via SMS
Because of the SIM swapping risk, along with the general insecurity of SMS, it’s a wise security move to disable SMS-based 2FA from any accounts that allow you to do so. The best balance of security and convenience for most people is 2FA apps, which regularly generate codes you must enter upon logging in on a new device.
I don’t recommend Authy for this; the app is visually dated, has had security breaches in the past, and doesn’t allow you to export your keys if you decide to move to another 2FA app later. Proton Authenticator is a solid newcomer from a trusted company; you can also save 2FA codes in your password manager if you don’t mind having them all in one place.
If a service only offers 2FA via text, that’s better than nothing. But you should pick another option when it’s available.
Enable a SIM PIN on Your Phone
Both Android and iOS offer an option to lock your SIM card with its own PIN. With this feature, every time you restart your phone or remove your SIM, you’ll have to enter a PIN you set (separate from your phone’s unlock PIN).
On iPhone, you’ll find this under Settings > Cellular. If you have multiple SIMs, tap the applicable account. Then choose SIM PIN. On Android, search for “SIM PIN” in the Settings app.
You might be asked for the existing PIN; if you don’t know it, you shouldn’t guess, because too many incorrect attempts will lock your SIM—you’d then have to contact your carrier to fix it or get a new SIM.
The default SIM PIN for many carriers is either “1234” or the last four digits of your phone number, but you should check the official website or contact support to be sure.
This option is only useful if you think someone might steal your physical SIM card and insert it in their phone. Otherwise, I recommend against using it, since it’s yet another PIN to remember, and having to unlock your SIM every time you reboot your phone is a pain.
While eSIMs can still be compromised, there’s nothing physical to steal. The risk of someone using your phone number on your device unauthorized is low, as long as you have a strong lock screen PIN.
SIM swapping attacks can happen out of nowhere, so being proactive about blocking them is something worth taking the time to do. If you ever suddenly lose cell service, can’t make calls, or similar, you should immediately contact your carrier to make sure someone hasn’t stolen your SIM.
And remember that you should never give out more info than you need to online. Between frequent data breaches and the information we make public, it’s too easy for nefarious folks to take that info and use it against you.
