Ask HN: Which Wireless Carriers Protect Against SIM Swapping & Port-Out Attacks?
I've been a Google Fi customer for a long time, and one of the pros is that you need to log in to your Google Account to make service changes (plus getting a hold of support is difficult, which is good in this context). However, I'm trying to move away from Google services and want to use Fastmail on iOS instead of Gmail on Android, but Google Fi requires the use of a Google account (e.g. for the Fi app, which provides critical functionality IIUC).
So to make a long-story short, I'm looking for another wireless carrier, but I'm concerned about SIM-swapping attacks (I know, I shouldn't be using SMS-based 2FA, but many services fallback to it and don't allow this to be disabled).
So, which carriers offer some kind of protection against SIM swapping, ideally something more than a 4-digit PIN that's texted to you (looking at you Mint)? During my research, I found https://www.efani.com/, but this seems like overkill for a non-high profile person.
I'm based in the US.
Thanks in advance. Google Fi is the absolute best solution to prevent against SIM swap attacks. Turn on Advanced Protection (g.co/advancedprotection) and it is damn near impossible. Every carrier ultimately delegates access to store and call center staff that can remove any PIN, witches curse, or anything else they offer to add to your account. MVNOs are effectively riding on the same networks and if you phish a high enough level support person at the parent carrier they can be swapped as well. That's simply not true: https://9to5google.com/2023/01/31/google-fi-customer-hack-st... T-Mobile is still the weakest link here. Google Fi appears to be just as vulnerable to a SIM swap attack as seen in that article. Based on the article (which notes it is unlikely to be a SIM swap) and the fact the users Authy (a locally installed 2FA app that syncs via iCloud) was compromised as well - I do not believe this disproves anything I said. We obviously can't know for sure, but it seems quite likely that the attacker had extensive access to the users accounts, possibly including the ability to access their Google account. The bottom line is you're still stuck on T-Mobile's infrastructure, which is a mishmash of old Oracle databases, insecure defaults and has a history of being breached. Heck, up until the last year or two you could go to TracFone or any of their subsidiaries websites to refill/top up, type in a phone number on AT&T, Verizon or T-Mobile and get the IMEI and sim number of the line, then use that to authenticate yourself as the end user with T-Mobile. The other details like name, address, birth date and such are publicly available in state voter rolls for the vast majority of account holders. US carriers need to provide fraud prevention APIs for free that indicate whether a phone number has changed SIM card or IMEI # in the last week, and they also need to provide free access to their LRN databases so you can see if the carrier of a phone number has changed (eg: a port out attack). As is, some banks have implemented the LRN query check already to deregister you from Zelle and phone number authentication when you call or text them for banking, but this significant cost burden due to phone provider insecurity should be borne by the industry creating the security problem. I came to an alternate conclusion. While cellular network operators generally have abysmal authentication procedures they are not responsible for bank fraud. If a bank relies on SMS delivered codes to confirm large funds transfer, they have taken a measured risk in offloading identity binding to a third party. Banks could use TOTP, USB dongles, CAP, have a customer support employee check knowledge based questions, physically mailed TANs, app push notification, etc. But SMS is used because it’s cheap, less worse than passwords only, and most people have a cellphone. I use Ting because it’s the only provider other than Fi that offers TOTP 2FA without SMS fallback. They wrote about their SIM swap policies here: https://help.ting.com/hc/en-us/community/posts/360030105653-... https://www.t-mobile.com/support/plans-features/sim-protecti... https://www.t-mobile.com/support/plans-features/account-take... The document reveals that SIM card changes will now require either SMS verification from the customer or the credentials of two employees. > or the credentials of two employees Unfortunately, most SIM swapping gangs these days are using stolen carrier credentials. Can vouch, all three of the SIM swapping attacks that have been done on Enterprise T-Mobile accounts I'm involved in were done using stolen employee credentials, and the records would just say that the store employee verified the ID of the customer. Store employees do not ask for the security pin or password on the account, even if it's notated that they should be asked for every time. Pretty much any account security notes like "Please email this address to request authorization for any account changes" get ignored by store reps. T-Mobile's fraud team will tell you to file a police report about the incident, then they will ghost the police department and provide no details about what occurred, who was involved, where it happened and such. Without a subpoena you are SOL, about the only action you can take is filing a small claims court case against them and subpoenaing T-Mobile in the process. They do freak out when you send a friend to show up in Bellevue to serve the notice of said court case and the subpoena, but it's the only way to get them to acknowledge what happened and provide details so you can mitigate the compromise that occurred. I believe T Mobile also allows you to require a secret 6-8 number PIN that is not texted to you. It's opt-in however, and I am not sure whether it can be overridden by a service tech. Looks like they are changing their policies. Only call customer service or do something in store for now. For banks that insist on doing SMS-based 2FA, I use a less well-known Google Voice number that only I know and don't give to my normal contacts. That number does nothing other than to receive 2FA codes, doesn't forward its messages and calls to any other numbers. My reasoning is that it would not be trivial to guess the phone number from my account/name, and to guess my name from phone number (unless someone hacks into the bank's db, in which I'm in troubles anyways). Furthermore if someone was able to figure out that link, it would not be trivial to do SIM swap on Google Voice, it would not be trivial to attack the Google Voice app. Two or three stars have to line up for someone to sim-swap that GV number. But some stupid bank go further to ban GV numbers. In which case I just don't bank with them. Many banks don't allow Google Voice numbers for SMS-based 2FA. That's a disadvantage. Dump those banks for a reasonable credit union that has access to the co-op ATM and branch network. There's no reason to be with Bank of Scoundrels (Bank of America) or any of the other scummy banks when many credit unions today can't deliver all of the same features and more of a traditional bank. Zelle, ACH, international wires, credit products like credit cards, home loans, personal loans, auto loans and such are all available through many credit unions, and they also reimburse ATM fees, often offer higher savings and checking account interest rates, and if your credit is poor or downright awful, they will often lend to you at a low interest rate when no bank or credit card provider would do so. I appreciate the responses. I'll probably go with Ting, but Efani is also interesting. By the way, for anyone in my situation who wants to stay with Fi but not be signed in to a Google Account on their device, https://www.reddit.com/r/GoogleFi/comments/xzqd6v/what_does_... may be interesting. EFANI: $99/mo or $999 in annual payments ($83/mo) …is a provider of mobile service and you get your choice of two top US mobile networks (excluding T-Mobile) One issue I see is getting deprioritized by not being a direct Verizon customer. I’ve had issues in small towns before due to this. Second, high speed data is free globally roaming but is texting also? It says texting to 200 countries free but it implies from North America. Safety Procedures
Our security protocols use an 11-layer proprietary verification process, and no hacking attempt has ever passed beyond the third step:
Any major change must be approved by multiple staff members and run through a rigorous manual process, including a notarized statement.
A SIM swap can only go ahead after a 14-day cooling off period. AT&T's LTE network often flaps on and offline on many towers from what I've seen, regardless of whether you got an iPhone or Android. 1 minute you'll have bars, the next to you won't be able to call 911. Meanwhile, Verizon has only kind of figured out VoLTE (and still has inbound call delivery issues) and is the most heavily loaded, slowest network in the US. Most of these issues are area dependent, but there is a reason why AT&T held off for so long when offering their new internet air product for 5G home internet, and why Verizon is so hesitant to add network load with their home internet product, hence both of them being very selective of what address is qualify for this service. Stop relying on your mobile number. I am not sim swappable because only my carrier knows my number. I don’t use the phone number of my SIM card for anything. In fact I replace it every 90 days with a new one bought for cash (Mint prepaid) with a new number. While may be possible in your case (which must take a lot of work to do), there are many services people cannot practically avoid that are sim swappable. For example, I cannot simply switch to a new water utility provider without moving out of the region. Someone’s mortgage could get sold to another bank with terrible security. This is wholly impractical advice. Why do any of the utilities need your phone number? If they literally cannot function without a number, why do they need the phone number of the SIM you carry? I have a phone with a SIM and cheap plan just for accounts associated with the building I sleep in. (Doordash et al would never get my address and any of my normal identifiers (email, phone, payment cards, etc) on the same records.) I call it the “house phone”. I am assuming your comment is in good faith here. I’m in the United States. My state does not have laws mandating MFA be available via any mechanism, and I’m not sure if any state does. I do not get service if I do not provide my name, service address and some contact phone number. Maybe I could argue with a CSR for an hour to refuse to give it, but the time-value of this is ridiculous. Secondly, if I want to turn on any form of MFA for access to my account, this phone number is then used to send codes by giving me a text. Unlike some services, receiving this code over voice is not possible. Email is not an option. My utility also has a skeleton phone support staff as they have been pushing everyone to online management, so opting to pay my bills only after I view them is now more difficult. Multiply this by a number of other services. In the United States, the second constraint is not necessarily uncommon. Some services improve on this model by calling you with a MFA code or emailing you, but not all. The difficult issue over the last few years are services tightening down access to which phone numbers you can even use for these services. Increasingly, services are restricting the use of VoIP numbers. Lastly, merely giving my phone number out to friends and family is a risk to keeping total privacy. A large number of messaging services upload your full address book of names and numbers to the service. It only takes one person using one app for the potential mapping of your name to phone number to leak. I am not going to rotate phone numbers amongst family and friends every few months to avoid this because this would be an enormous use of time. I’m glad you are able to make the scheme work but this isn’t a workable model everywhere. I am not sure why friends and family would ever need your GSM number. Do you use SMS and PSTN calls with them? VoIP and video calling apps are much higher quality audio, and also support video. People call me with apps, not with phone calls. You can sign in to apps with a number that isn’t the number of your SIM card. "I don’t use the phone number of my SIM card for anything.
In fact I replace it every 90 days with a new one bought for cash (Mint prepaid) with a new number." Good for you but that is not practical advice. How is it not practical? If you have a newer iPhone or Android, you can add an eSIM like FreedomPop for the few calls or texts you might get from these vendors. Some landline carriers allow text messaging. So if you could find one that offered that, your best bet would be a landline + PIC freeze. Many carrier queries like what Twilio offers will actually show the text messaging enablement provider, which can allow you to reclassify landline (RBOC), CLEC, VoIP and similar as a mobile number in the eyes of many vendors. Telekom in Germany but I also use a secondary sim that is only used for emergencies and 2FA. Efani The longer I look at Efani's website, the more it looks like a scam: no clear information about eSIM support, typos, repeated/redundant blog posts that seem AI generated, "11-layer verification" whatever that means...