Skip to content

Top Best Ask Show New Jobs

Ask HN: Which Wireless Carriers Protect Against SIM Swapping & Port-Out Attacks?

44 pointsCAPSLOCKSSTUCK2y ago29 comments

I've been a Google Fi customer for a long time, and one of the pros is that you need to log in to your Google Account to make service changes (plus getting a hold of support is difficult, which is good in this context). However, I'm trying to move away from Google services and want to use Fastmail on iOS instead of Gmail on Android, but Google Fi requires the use of a Google account (e.g. for the Fi app, which provides critical functionality IIUC).

So to make a long-story short, I'm looking for another wireless carrier, but I'm concerned about SIM-swapping attacks (I know, I shouldn't be using SMS-based 2FA, but many services fallback to it and don't allow this to be disabled).

So, which carriers offer some kind of protection against SIM swapping, ideally something more than a 4-digit PIN that's texted to you (looking at you Mint)? During my research, I found https://www.efani.com/, but this seems like overkill for a non-high profile person.

I'm based in the US.

Thanks in advance.

29 comments

25 comments · 9 top-level

instagib2y ago· 4 in thread

https://www.t-mobile.com/support/plans-features/sim-protecti...

https://www.t-mobile.com/support/plans-features/account-take...

The document reveals that SIM card changes will now require either SMS verification from the customer or the credentials of two employees.

fullspectrumdev2y ago

> or the credentials of two employees

Unfortunately, most SIM swapping gangs these days are using stolen carrier credentials.

Can vouch, all three of the SIM swapping attacks that have been done on Enterprise T-Mobile accounts I'm involved in were done using stolen employee credentials, and the records would just say that the store employee verified the ID of the customer.

Store employees do not ask for the security pin or password on the account, even if it's notated that they should be asked for every time. Pretty much any account security notes like "Please email this address to request authorization for any account changes" get ignored by store reps.

T-Mobile's fraud team will tell you to file a police report about the incident, then they will ghost the police department and provide no details about what occurred, who was involved, where it happened and such. Without a subpoena you are SOL, about the only action you can take is filing a small claims court case against them and subpoenaing T-Mobile in the process. They do freak out when you send a friend to show up in Bellevue to serve the notice of said court case and the subpoena, but it's the only way to get them to acknowledge what happened and provide details so you can mitigate the compromise that occurred.

iisan72y ago

I believe T Mobile also allows you to require a secret 6-8 number PIN that is not texted to you. It's opt-in however, and I am not sure whether it can be overridden by a service tech.

Looks like they are changing their policies. Only call customer service or do something in store for now.

sneak2y ago· 4 in thread

Stop relying on your mobile number. I am not sim swappable because only my carrier knows my number. I don’t use the phone number of my SIM card for anything.

In fact I replace it every 90 days with a new one bought for cash (Mint prepaid) with a new number.

While may be possible in your case (which must take a lot of work to do), there are many services people cannot practically avoid that are sim swappable.

For example, I cannot simply switch to a new water utility provider without moving out of the region. Someone’s mortgage could get sold to another bank with terrible security.

This is wholly impractical advice.

sneak2y ago

Why do any of the utilities need your phone number?

If they literally cannot function without a number, why do they need the phone number of the SIM you carry?

I have a phone with a SIM and cheap plan just for accounts associated with the building I sleep in. (Doordash et al would never get my address and any of my normal identifiers (email, phone, payment cards, etc) on the same records.) I call it the “house phone”.

"I don’t use the phone number of my SIM card for anything. In fact I replace it every 90 days with a new one bought for cash (Mint prepaid) with a new number."

Good for you but that is not practical advice.

How is it not practical? If you have a newer iPhone or Android, you can add an eSIM like FreedomPop for the few calls or texts you might get from these vendors.

mike_d2y ago· 2 in thread

Google Fi is the absolute best solution to prevent against SIM swap attacks. Turn on Advanced Protection (g.co/advancedprotection) and it is damn near impossible.

Every carrier ultimately delegates access to store and call center staff that can remove any PIN, witches curse, or anything else they offer to add to your account. MVNOs are effectively riding on the same networks and if you phish a high enough level support person at the parent carrier they can be swapped as well.

PaulCarrack2y ago

That's simply not true:

https://9to5google.com/2023/01/31/google-fi-customer-hack-st...

T-Mobile is still the weakest link here. Google Fi appears to be just as vulnerable to a SIM swap attack as seen in that article.

mike_d2y ago

Based on the article (which notes it is unlikely to be a SIM swap) and the fact the users Authy (a locally installed 2FA app that syncs via iCloud) was compromised as well - I do not believe this disproves anything I said. We obviously can't know for sure, but it seems quite likely that the attacker had extensive access to the users accounts, possibly including the ability to access their Google account.

jimmies2y ago· 2 in thread

For banks that insist on doing SMS-based 2FA, I use a less well-known Google Voice number that only I know and don't give to my normal contacts. That number does nothing other than to receive 2FA codes, doesn't forward its messages and calls to any other numbers.

My reasoning is that it would not be trivial to guess the phone number from my account/name, and to guess my name from phone number (unless someone hacks into the bank's db, in which I'm in troubles anyways). Furthermore if someone was able to figure out that link, it would not be trivial to do SIM swap on Google Voice, it would not be trivial to attack the Google Voice app. Two or three stars have to line up for someone to sim-swap that GV number.

But some stupid bank go further to ban GV numbers. In which case I just don't bank with them.

Many banks don't allow Google Voice numbers for SMS-based 2FA. That's a disadvantage.

Dump those banks for a reasonable credit union that has access to the co-op ATM and branch network. There's no reason to be with Bank of Scoundrels (Bank of America) or any of the other scummy banks when many credit unions today can't deliver all of the same features and more of a traditional bank.

Zelle, ACH, international wires, credit products like credit cards, home loans, personal loans, auto loans and such are all available through many credit unions, and they also reimburse ATM fees, often offer higher savings and checking account interest rates, and if your credit is poor or downright awful, they will often lend to you at a low interest rate when no bank or credit card provider would do so.

CAPSLOCKSSTUCKOP2y ago· 2 in thread

I appreciate the responses. I'll probably go with Ting, but Efani is also interesting.

By the way, for anyone in my situation who wants to stay with Fi but not be signed in to a Google Account on their device, https://www.reddit.com/r/GoogleFi/comments/xzqd6v/what_does_... may be interesting.

EFANI: $99/mo or $999 in annual payments ($83/mo) …is a provider of mobile service and you get your choice of two top US mobile networks (excluding T-Mobile)

One issue I see is getting deprioritized by not being a direct Verizon customer. I’ve had issues in small towns before due to this.

Second, high speed data is free globally roaming but is texting also? It says texting to 200 countries free but it implies from North America.

Safety Procedures Our security protocols use an 11-layer proprietary verification process, and no hacking attempt has ever passed beyond the third step: Any major change must be approved by multiple staff members and run through a rigorous manual process, including a notarized statement. A SIM swap can only go ahead after a 14-day cooling off period.

AT&T's LTE network often flaps on and offline on many towers from what I've seen, regardless of whether you got an iPhone or Android. 1 minute you'll have bars, the next to you won't be able to call 911.

Meanwhile, Verizon has only kind of figured out VoLTE (and still has inbound call delivery issues) and is the most heavily loaded, slowest network in the US.

Most of these issues are area dependent, but there is a reason why AT&T held off for so long when offering their new internet air product for 5G home internet, and why Verizon is so hesitant to add network load with their home internet product, hence both of them being very selective of what address is qualify for this service.

ratg132y ago· 1 in thread

Some landline carriers allow text messaging.

So if you could find one that offered that, your best bet would be a landline + PIC freeze.

Many carrier queries like what Twilio offers will actually show the text messaging enablement provider, which can allow you to reclassify landline (RBOC), CLEC, VoIP and similar as a mobile number in the eyes of many vendors.

unstatusthequo2y ago· 1 in thread

Efani

DanAtC2y ago

The longer I look at Efani's website, the more it looks like a scam: no clear information about eSIM support, typos, repeated/redundant blog posts that seem AI generated, "11-layer verification" whatever that means...

PascLeRasc2y ago

I use Ting because it’s the only provider other than Fi that offers TOTP 2FA without SMS fallback. They wrote about their SIM swap policies here: https://help.ting.com/hc/en-us/community/posts/360030105653-...

Telekom in Germany but I also use a secondary sim that is only used for emergencies and 2FA.

j / k navigate · click thread line to collapse