SIM card swapping is a major problem for cell phone users. It involves a criminal transferring your mobile account information, including your phone number, from your SIM card to a different one.
Once they take control of your phone, crooks can gain access to your account and pretend to be you. Even without your passwords, they can pull money from your accounts by accessing password reset codes that are often sent as a text message to your phone.
What the Big Carriers Are Doing to Prevent SIM Card Swapping
The good news is that the fight to safeguard your phone and the data inside of it is not one that you have to take on alone. The major carriers have some protections in place, but as you’ll see, some are doing more than others.
Clark.com reached out to the major service providers — Verizon, AT&T, Sprint and T-Mobile — to see what they’re doing to prevent SIM card swapping. Read on to learn which company offers the most protections…
Protection strategy: Administrative Lock
Statement from Verizon: To protect yourself from SIM swapping fraud, Verizon recommends you call its customer service line and put an Administrative Lock on your account. This means no changes can be made (including porting a number to another carrier) without you calling in to personally verify the transaction.
In addition, consumers need to be vigilant about protecting their personal information. For instance, Verizon will never make an outbound request for customers to provide personal account information. So even if you see an inbound call that looks like it’s from Verizon, if it doesn’t feel right, it probably isn’t. If you have questions, hang up and immediately dial Verizon’s customer service line at 1-800-922-0204 or *611 from your mobile device.
Here are some other anti-SIM card swapping measures from Verizon:
- One-time code: When a device or SIM card change is requested, Verizon requires that customers verify a one-time code.
- Port freeze: Customers can also opt for a Port Freeze that prevents their phone number from being ported out to another carrier. Customers can request a port freeze by calling *611 from their cell phone.
- Enhanced Authentication: To sign in to your account or contact customer service, you’ll be prompted to verify your identity via two-factor authentication (a one-time code sent to your phone). Here’s how to enroll in Enhanced Authentication:
- 1. Sign in to your My Verizon Account.
- 2. Go to Profile Setting under the account drop-down.
- 3. Select Enhanced Authentication under the Security section.
Protection strategy: Depends on the risk
Statement from Sprint: Sprint takes a risk-based approach to SIM swaps, and different modes or channels have different requirements. Some modes require OTP (one-time password) authentication, in addition to PIN and SQA (software quality assurance).
Some modes require other information in order to perform a SIM swap. For example, a SIM swap request through the Sprint website requires the ESN (electronic serial number) for the new device, and we have additional fraud controls in place that we do not disclose publicly.
In retail stores, access to any CPNI (Customer Proprietary Network Information) info — including for SIM swap — requires an ID scan (except in states that do not allow this practice).
Here are some other security measures from Sprint:
- PIN requirement: Sprint says it requires a PIN for every account by default. “An account cannot be established in our system without a PIN code associated,” a spokesman told Team Clark.
- Instant notification: To protect accounts, Sprint notifies its customers each time their PIN, security question or answer changes. Based on a customer’s preference, this notification can be sent via email or text message.
- Customers can update their PIN and/or notification preferences on Sprint.com.
Protection strategy: “Extra protection”
For AT&T’s response, a PR spokesman referred me to this article on their site.
It includes this information:
Add all “extra security” measures to your AT&T Wireless accounts. If you create a unique passcode on your AT&T account, in most cases we’ll require you to provide that passcode before any changes can be made, including ports initiated through another carrier. Follow this link for more information.
Here are some other security measures from AT&T:
- Report suspicious activity: Report an unauthorized SIM card swap to AT&T by using the contact information on your bill.
- Add ‘extra security’ to your account: You can do that by following these steps:
- 1. Go to Profile and then Sign-in info.
- 2. Select Manage Extra Security in the Wireless passcode section.
- 3. Check Extra Security and re-enter your passcode if prompted.
Protection strategy: PIN
Statement from T-Mobile: Account takeover fraud is an industry-wide problem. These are criminal attacks against wireless customers and it is in everyone’s best interest to stop them.
We are constantly working hard to do this and use several safeguards to help protect against this crime and offer customers a variety of options, including PINs, to help them protect their own information. T-Mobile accounts must have a 6-15 digit PIN, and a customer’s number cannot be ported without verification of that PIN. We encourage customers to contact us to discuss security measures available to them.
Here are some other security measures from T-Mobile:
- Over-the-phone verification: When you call T-Mobile Customer Care, you will typically be asked to verify certain personal information to establish your identity. If you have requested the use of a Customer Care password on your account, you will be asked to verify it.
- PIN/passcode: If you don’t already have a PIN/passcode, you are prompted to set one up when you log in to My T-Mobile.
- Port validation: T-Mobile says customers must have their PIN/passcode for port validation. Without this standard security feature, customers won’t be able to change carriers and port-out their phone numbers.
- NoPort: NoPort means your phone number cannot be ported out without you providing proper identification in-store. “For the vast majority of our customers, the port validation feature that is standard on our accounts is sufficient,” a T-Mobile spokesperson tells Clark.com. “We do have security measures to protect against extreme cases and add further protections for unauthorized porting. The NoPort feature is something we offer the very small subset of customers who have been victims of fraud. There is no silver bullet when it comes to data security, which is why we are constantly working hard to stop criminal attacks against wireless customers.”
The major wireless carriers all have security measures to counter SIM card swapping, but Verizon perhaps has the most thorough feature: account locking. Here is a high-level look at the protections Verizon, AT&T, Sprint and T-Mobile offer:
- Verizon encourages its customers to put an Administrative Lock on all of their accounts.
- Sprint requires its mobile accounts to have PINs associated with them by default.
- AT&T allows customers to create unique passcodes for their accounts, although it’s not required.
- T-Mobile prompts customers to set up PINs to talk to customer service reps and access some features of their online accounts.
Now that you know what kind of security measures the major phone carriers have set up to curb SIM card swapping, here is what you need to know about what they’re doing to fight ID fraud.