It’s easier than you think for someone to convince your carrier that they are you and get them to port your number to their device in order for them to get your two-factor authentication (2FA) codes in order to bypass your security. We all know by now that using SMS for your 2FA is a very bad idea, and instead you should use an authenticator app (like Google Authenticator or this open-source alternative). But there’s a simple step you can take to prevent this by locking your SIM with a PIN so that you can protect yourself from this nightmare scenario which could allow a hacker to drain your bank account or steal your identity.
Why SIM swapping happens
And how you can lock your SIM easily
It’s relatively easy to move a SIM from one phone to another, which enables bad actors to get your 2FA codes. By locking your SIM, a code is required every time you restart your phone or toggle airplane mode — the carrier won’t enroll your device on the network until the PIN is entered. Think of it as a second level of security beyond your device PIN (or perhaps you’re using face unlock or your fingerprint). If someone enters the wrong code three times, your carrier will make your SIM personal unlocking key (PUK) locked. To reverse a PUK lock, you need a special key directly from the carrier.
This roadblock is critical to preventing someone from transferring your SIM. And it starts by you turning on SIM PIN, which you can do both in Android and iOS with the following steps or by searching your settings for “SIM PIN or SIM Lock”:
Android: Settings -> Security & Privacy -> More Security & Privacy -> SIM lock
iOS: Settings -> Cellular -> SIM PIN
When you go through the above steps, you’ll have to first enter a default PIN (which you can reference below — it varies by carrier) before entering a custom PIN. Note: if your carrier is not listed below, you can do a quick Google search for “[carrier] default sim pin”.
Verizon
1-1-1-1
AT&T
1-1-1-1
T-Mobile
1-2-3-4
There’s really no downside to turning on the SIM lock on your phone, besides the minor inconvenience of having to enter the SIM PIN each time your phone reboots. The SIM PIN tells your carrier: “make sure the SIM is authorized to connect to the network each time a connection is attempted for the first time.”
If you enter the wrong code three times, your SIM will be locked down by the carrier. So be careful when entering the default or custom PIN.
The next level up: Set up a dedicated transfer PIN with your carrier
A bit more work, but it gives you greater security
Credit: Brandon Miniman / MakeUseOf
Your strongest line of defense is to set up a dedicated “Transfer PIN” or “Port-Out Lock” with your carrier. This makes it impossible for someone to port your number to another carrier and take ownership of your phone number. It takes more work than the above SIM PIN, but it’s a stronger level of security.
Doing this varies by carrier. In the case of my carrier, AT&T, I would need to download the myAT&T app and turn on Wireless Account Lock, which will set up a special code that will prevent any number porting whatsoever from my account. For Verizon, you can activate a Number Transfer PIN from the Verizon website after you log in to your account. And for T-Mobile, you follow similar steps by requesting a Transfer PIN from the T-Mobile app or website, which will prevent an unwanted transfer of your number to another carrier.
SMS has poor security and shouldn’t be used for 2FA
Here’s what you should do instead
Credit: Brandon Miniman / MakeUseOf
In light of the grave security risk that someone could easily transfer your phone number to their control is reason number one why you should stop using SMS for 2FA. Instead, use an app like Google Authenticator, Authy, Microsoft Authenticator or something similar (even using your Notes app can work). Let me repeat this: if you rely on SMS for 2FA for bank accounts and other important accounts, you’re putting yourself at a major security risk, especially if you don’t take steps to set up a transfer PIN with your carrier.
Related
I disabled 2G on my phone and it’s the best security move I’ve made
Avoid a potential security nightmare.
Don’t make it easy for SIM swapping to happen
Use an authenticator app and enable SIM PIN
Credit: Brandon Miniman / MakeUseOf
Whether fingerprint, face unlock or PIN, you already use a form of security on your phone every time you unlock it. Why not also lock down your SIM card? It’s a minor extra step that could save you from a security nightmare if someone tries to swap your SIM to be able to receive your 2FA codes. Both Android and iOS make it very easy to set up a SIM PIN, and it’s an absolute no-brainer.
