ANDRI.BLOG
Security
11 min read

Your Phone Number Is the Weakest Link

SIM swapping lets attackers steal your phone number without touching your phone. They use it to drain bank accounts, hijack social media, and bypass your 2FA.

A friend of mine lost $12,000 in about forty minutes. He was sitting at home when his phone dropped to "No Service." He figured it was a carrier outage — annoying, but whatever. By the time he connected to Wi-Fi and checked his email, the damage was done. Password reset confirmations from his bank, his email provider, and two crypto exchanges, all triggered by SMS verification codes that were now going to someone else's phone.

His phone number had been ported to a SIM card controlled by an attacker. No malware. No phishing link. Just a phone call to his carrier and some social engineering.

This is a SIM swap attack, and it's been growing steadily for years. The FBI's Internet Crime Complaint Center logged over $68 million in SIM swapping losses in 2023 alone, and the real number is almost certainly higher because most victims don't report it.

How SIM Swapping Works

Your phone number isn't tied to your physical SIM card in any permanent way. It's a record in your carrier's database that says "route calls and texts for this number to this SIM." Changing that record is something carrier employees do every day — when you upgrade your phone, replace a lost SIM, or switch carriers. It's a routine operation.

A SIM swap attack exploits that routine. The attacker contacts your carrier — either by calling customer support, walking into a store, or using the carrier's online portal — and convinces them to transfer your number to a new SIM. Once the transfer goes through, your phone goes dead and theirs starts receiving your calls and texts.

The whole process can take under ten minutes.

There are three main ways attackers pull this off:

Social Engineering the Call Center

The most common method. The attacker calls your carrier pretending to be you. They claim they lost their phone, got a new one, and need their number moved to a new SIM. The customer service rep asks for verification — name, address, last four of your SSN, account PIN.

Here's the problem: most of that information is already available. Your name and address are in data broker databases. Your SSN may have been exposed in any number of breaches (the 2017 Equifax breach alone exposed 147 million). Your carrier account PIN — if you even set one — might be a four-digit number you also use elsewhere.

Attackers come prepared. They've already purchased your personal data from breach dumps or scraped it from social media. When the rep asks for your mother's maiden name, the attacker has it. When they ask for the last four of your SSN, the attacker has that too.

Some attackers don't even bother being subtle. They call repeatedly, hanging up when they get a rep who asks too many questions, until they find one who's rushed or undertrained enough to push the swap through with minimal verification.

Insider Threats at Carriers

This one is darker. Attackers recruit or bribe employees at carrier retail stores or call centers to perform the swap from the inside. No social engineering needed — the employee has direct access to the system.

In 2023, a former T-Mobile employee was charged for performing unauthorized SIM swaps for $500 each. He wasn't unique. Law enforcement has uncovered multiple rings where carrier employees were paid between $300 and $1,000 per swap. When you're making $17/hour at a retail store, that's a lot of money for thirty seconds of work.

The carriers know this is a problem. T-Mobile, AT&T, and Verizon have all faced lawsuits from customers who lost money after SIM swaps that their own employees facilitated.

Port-Out Attacks

Instead of swapping the SIM within your carrier, the attacker ports your number to a completely different carrier. They set up an account with the new carrier, request a number port, and provide enough of your personal information to pass the verification checks.

Porting has to work smoothly by design — regulators require carriers to let customers switch providers easily. That same ease of switching is what attackers exploit. The original carrier sends you a confirmation text, but if you're not watching for it, the port completes and your number moves.

What Happens After the Swap

Once the attacker has your number, they don't care about your phone calls. They care about one thing: SMS-based two-factor authentication.

Here's the attack chain:

  1. Password reset. The attacker goes to your email provider and clicks "Forgot password." Many services offer the option to verify via SMS. The verification code goes to the attacker's phone.

  2. Email takeover. With access to your email, the attacker can now reset passwords on every service connected to that email address. Bank, crypto exchange, social media — anything that sends password reset links to your inbox.

  3. Drain accounts. They move money, transfer crypto, or sell access to your social media accounts. High-value Instagram and Twitter handles sell for thousands on underground markets.

  4. Lock you out. They change passwords and recovery options so you can't get back in. By the time you realize what's happening, you're fighting to prove you're you.

The whole thing can happen in under an hour. I've seen cases where the victim didn't even realize their phone had lost service because they were on Wi-Fi and assumed everything was fine.

Why This Keeps Getting Worse

Three trends are driving the growth:

SMS 2FA is everywhere. Despite years of security experts saying SMS is the weakest form of two-factor authentication, it's still the default on most services. Banks love it because it's easy to implement and customers understand it. But every service that relies on SMS codes for account recovery is vulnerable to SIM swapping.

Personal data is cheap. The raw material for social engineering — names, addresses, phone numbers, SSNs, security question answers — is available in bulk from past breaches. A package of someone's personal details might cost $5-20 on dark web markets. The attackers don't need to hack anything; they just need to shop.

Crypto makes theft easy to cash out. Traditional bank fraud has friction — transfers can be reversed, accounts can be frozen. Cryptocurrency doesn't have a chargeback mechanism. Once it's transferred, it's gone. This makes crypto holders particularly attractive targets for SIM swappers.

How to Protect Yourself

Set Up a Carrier PIN or Passcode

Every major carrier lets you set a PIN or passcode that must be provided before making account changes, including SIM swaps.

  • T-Mobile: Set up Account Takeover Protection in the T-Mobile app or your online account
  • AT&T: Add an "extra security" passcode through your account settings
  • Verizon: Set a Number Lock through the My Verizon app
  • Visible/MVNOs: Check your account settings — most offer some form of SIM lock

Make this PIN something unique. Don't use your birthday, the last four of your SSN, or any number you use elsewhere. A random six-digit or eight-digit PIN stored in your password manager is ideal.

This is the single most effective thing you can do, and it takes two minutes.

Enable Number Lock or Port Freeze

Most carriers offer a feature that explicitly blocks your number from being ported out to another carrier. It goes by different names:

  • T-Mobile: SIM Protection (formerly Account Takeover Protection)
  • AT&T: Number Lock
  • Verizon: Number Lock

When enabled, any port-out request will be rejected until you manually disable the lock. Turn this on and forget about it until you actually need to switch carriers.

Move Away from SMS 2FA

Anywhere you're using SMS codes as your second factor, switch to something better:

  • Authenticator apps (Authy, Google Authenticator, Microsoft Authenticator) generate codes locally on your device. A SIM swap doesn't affect them.
  • Passkeys are even better — they're phishing-resistant and don't depend on your phone number at all. I've written about setting these up.
  • Hardware security keys (YubiKey, etc.) are the gold standard for high-value accounts.

Start with your email account. If an attacker can't get into your email via SMS recovery, the entire SIM swap attack chain falls apart. Then do your bank, crypto exchanges, and social media.

Check your accounts for SMS-based recovery options too, not just 2FA. Some services let you add an authenticator app for login but still allow SMS for account recovery. That backdoor defeats the purpose.

Use a Separate Number for Financial Accounts

If you're a high-value target — you hold significant crypto, have a large social media following, or work in a field where you might be targeted — consider using a Google Voice number or a separate prepaid line for financial account verification. Google Voice numbers can't be SIM swapped through a carrier because they're tied to your Google account, not a physical SIM.

This is overkill for most people, but if you've already been targeted once, it's worth the hassle.

Monitor Your Phone's Connectivity

If your phone suddenly shows "No Service" or "SOS Only" for more than a few minutes and you're in an area where you normally have coverage, don't shrug it off. This is the primary symptom of a SIM swap.

Immediately:

  1. Try to make a call. If it fails, don't wait.
  2. Get on Wi-Fi.
  3. Try to log into your email and bank accounts. Change passwords if you can.
  4. Call your carrier from a different phone and tell them to freeze your account.

Speed matters. The attacker is moving fast, and every minute counts.

Watch for Reconnaissance

SIM swap attacks rarely come out of nowhere. Attackers typically do reconnaissance first:

  • Phishing emails asking you to "verify" your phone number or carrier account
  • Calls from someone claiming to be your carrier asking to "confirm" your PIN or account details
  • Social media data harvesting — attackers sometimes engage with targets to gather personal details

If someone calls claiming to be from your carrier and asks for your PIN, hang up. Your carrier will never call you and ask for your PIN — that's the thing they ask you for when you call them.

What Carriers Are Doing (Slowly)

Carriers have gotten better, but it's been a slog. The FCC issued rules in late 2023 requiring carriers to adopt more secure authentication before processing SIM changes and port-out requests. These rules went into effect in 2024, and they've helped — but they haven't eliminated the problem.

T-Mobile's SIM Protection feature, which requires in-person verification with a government ID for SIM changes, is probably the strongest consumer-facing defense any carrier offers right now. But it's opt-in, and most customers don't know it exists.

The fundamental problem remains: carriers have to balance security against convenience. Making SIM swaps harder also makes it harder for legitimate customers who actually lost their phone and need a new SIM. Every additional verification step generates customer complaints and support calls.

But that trade-off is shifting. As SIM swap losses climb and lawsuits pile up, carriers are finding that "it was too easy to steal someone's number" is an expensive position to defend in court.

If You've Been SIM Swapped

Act fast:

  1. Call your carrier immediately from a different phone. Tell them your number was swapped without authorization. Demand they reverse it and freeze your account.
  2. Change your email password — this is the master key to everything else. Do it from a trusted device, not one that might be compromised.
  3. Change passwords on your bank, crypto, and social media accounts. Start with the highest-value ones.
  4. Check for unauthorized transactions. Contact your bank to dispute fraudulent charges and freeze accounts if needed.
  5. File a report with the FBI's IC3 (ic3.gov) and your local police. This creates a paper trail that helps with bank disputes and insurance claims.
  6. File a complaint with the FCC (fcc.gov/consumers/guides/filing-informal-complaint). This puts pressure on carriers to take SIM swap prevention seriously.
  7. Set up a fraud alert with the credit bureaus (Equifax, Experian, TransUnion). A SIM swapper who has your personal info might try identity theft next.

Your Phone Number Was Never an Identity

The core problem is that the phone system was built in an era when your phone number was physically tied to a copper wire in your wall. Porting that number was a deliberate, unusual event. Now that numbers float freely between devices and carriers, they've become dangerously easy to steal — and we've strung up a huge amount of security infrastructure on the assumption that "has access to this phone number" equals "is this person."

That assumption is broken. SMS 2FA is better than no 2FA — it still blocks the most common attacks. But if you're relying on your phone number as the last line of defense for your most valuable accounts, you're trusting a system where a teenager with $500 and your name can take everything.

Set your carrier PIN. Enable number lock. Move your important accounts to authenticator apps or passkeys. It takes an afternoon, and it removes your phone number from the equation entirely.

Sources: FBI IC3 Report, FCC SIM Swap Rules, KrebsOnSecurity, BleepingComputer

▸ TAGS
#SIM-swapping#account-takeover#2FA#social-engineering#identity-theft
▸ STAY IN THE LOOP

Weekly. No spam. No fluff.

← BACK TO ALL ARTICLES