How do I protect myself against SIM swap attacks?

Use authenticator app for 2FA, not your phone number.

But be really sure you want to do this. The main reason I would not recommend ordinary consumers do this, is that if you lose your SIM (eg, stolen or lost phone), you can go to a mobile phone shop and get a new SIM card issued to you after verifying your identity. With other forms of 2FA, you do not have access to the same real-life-based identity verification service, and it is also essentially the source of SIM-swap risk.

A year ago I was simjacked by someone who walked up to a T-Mobile kiosk in San Diego and acquired my phone number by simply claiming they were me. This bypasses every possible layer of protection you can set up with T-Mobile; an actual human employee just went ahead and gave my SIM away.

Fortunately my wife is primary on the account and is very much on the ball. She got texts that the SIM card had been changed and within minutes had them recover it and lock it back down. Besides "ditch T-Mobile," this might be the best piece of advice: don't be your own primary, and be sure your primary has your SIM card on extra-paranoid notify-me-instantly-if-it-changes mode.

Fortunately the first thing they were after was my Coinbase account, which they two-factored only to discover was empty. If they'd hung around a while and poked around I would have been well and truly pwned. So, second piece of advice, already said upstream: do whatever you can to avoid giving online services your phone number.

When I finally got in front of a support rep they confirmed the whole thing and (just because I was there, and large, and extremely pissed off) let me take as many photos as I wanted of the entire incident report right there on their kiosk. This by itself did not fill me with a strong sense of confidence in their opsec; third piece of advice is: anybody but T-Mobile.

I use Google Fi because the SIM card is attached to my Gmail account where I can use A real 2FA

In my country we have one method that is kind of stupid but it should work. You pay your phone bill after the deadline so you are always one month behind. This way you are always in debt and as such you can not transfer your number to another operator. I didn't test it but it should work since at least for my operator.

As much as possible avoid providing your phone number to the services that you use.

Many of them don't have a separate toggle for phone-based recovery so as soon as you provide the phone you are opting-in for phone-based recovery which makes you vulnerable.

I think all services should have a specific checkbox for this option, if they insist on SMS recovery stuff.

Long story, but some time ago I managed to convince my phone provider to require a "password" when I call them. They had added a saved note against my customer record advising any support agent to ask for the password. I rarely called them but I did see it actually working when I later interacted with them and they asked me the password. I don't recommend this approach at all as it's not reliable.

I use google voice locked with 2fa like the rest of my google account.

And yes, I have never been rejected from a service for using a google voice number as my 2fa source. Heck, even my google account uses 2fa through the google voice number - as one option :)

One answer I haven't seen mentioned yet is to use a carrier who lacks a physical presence (e.g. many MVNOs). I'm not sure if the MVNO security infrastructure can be circumvented by employees at the source network's physical stores, however. E.g. if I use Boost Mobile, can a Verizon store employee override the PIN I've set?

Of course the best answer is to not rely on SMS or voice call 2FA, but as others point out, some services only support these insecure options.

I think the first way to protect yourself is to switch from T-Mobile they have notoriously bad security. In fact with all the recent leaks I don’t understand what they can do to actually safeguard accounts against SIM swap attacks.

The most secure way to protect against SIM swap attacks is not to use a SIM based number for 2fa. I’d suggest using a Twilio, Telnyx, or similar service where you have more control over the number and even the porting process.

Meanwhile I got an e-mail yesterday from Wealthfront saying US-based SMS is now required for 'security' despite having TOTP. Hopefully this was an error to mean 2FA with SMS as a minimum for security, otherwise they don't understand security or they want your phone number for 'other' reasons. If it's not a mistake, that'l be the straw that broke the camel's back for me.

Have a separate sim/phone dedicated to 2fa.

Send test sms to yourself at least twice a day

https://www.t-mobile.com/support/plans-features/account-take...

Don't use text messages as 2FA in the first place.

security researcher here, but cellular protocols are one of the few things I hadn't touched, only slightly faniliar from reading and hearing. so reading your title made me wonder what actually can be done, aside from everything people wrote here. seems like this is a gap in security, globally. it really seems to be (one of) the weakest link(s). all other answers are fine, under certain conditions, impractical in reality.

one of the things I do think can be an improvement is using virtual sim, such as twilio, then it's more manageable, get notifications, probably more secure than employee being socially engineered to give your number away...