HACKER Q&A
📣 CAPSLOCKSSTUCK

Which Wireless Carriers Protect Against SIM Swapping & Port-Out Attacks?


I've been a Google Fi customer for a long time, and one of the pros is that you need to log in to your Google Account to make service changes (plus getting a hold of support is difficult, which is good in this context). However, I'm trying to move away from Google services and want to use Fastmail on iOS instead of Gmail on Android, but Google Fi requires the use of a Google account (e.g. for the Fi app, which provides critical functionality IIUC).

So to make a long-story short, I'm looking for another wireless carrier, but I'm concerned about SIM-swapping attacks (I know, I shouldn't be using SMS-based 2FA, but many services fallback to it and don't allow this to be disabled).

So, which carriers offer some kind of protection against SIM swapping, ideally something more than a 4-digit PIN that's texted to you (looking at you Mint)? During my research, I found https://www.efani.com/, but this seems like overkill for a non-high profile person.

I'm based in the US.

Thanks in advance.

  👤 mike_d Accepted Answer ✓
Google Fi is the absolute best solution to prevent against SIM swap attacks. Turn on Advanced Protection (g.co/advancedprotection) and it is damn near impossible.

Every carrier ultimately delegates access to store and call center staff that can remove any PIN, witches curse, or anything else they offer to add to your account. MVNOs are effectively riding on the same networks and if you phish a high enough level support person at the parent carrier they can be swapped as well.

👤 PascLeRasc
I use Ting because it’s the only provider other than Fi that offers TOTP 2FA without SMS fallback. They wrote about their SIM swap policies here: https://help.ting.com/hc/en-us/community/posts/360030105653-...
👤 instagib
https://www.t-mobile.com/support/plans-features/sim-protecti...

https://www.t-mobile.com/support/plans-features/account-take...

The document reveals that SIM card changes will now require either SMS verification from the customer or the credentials of two employees.

👤 jimmies
For banks that insist on doing SMS-based 2FA, I use a less well-known Google Voice number that only I know and don't give to my normal contacts. That number does nothing other than to receive 2FA codes, doesn't forward its messages and calls to any other numbers.

My reasoning is that it would not be trivial to guess the phone number from my account/name, and to guess my name from phone number (unless someone hacks into the bank's db, in which I'm in troubles anyways). Furthermore if someone was able to figure out that link, it would not be trivial to do SIM swap on Google Voice, it would not be trivial to attack the Google Voice app. Two or three stars have to line up for someone to sim-swap that GV number.

But some stupid bank go further to ban GV numbers. In which case I just don't bank with them.

👤 CAPSLOCKSSTUCK
I appreciate the responses. I'll probably go with Ting, but Efani is also interesting.

By the way, for anyone in my situation who wants to stay with Fi but not be signed in to a Google Account on their device, https://www.reddit.com/r/GoogleFi/comments/xzqd6v/what_does_... may be interesting.

👤 sneak
Stop relying on your mobile number. I am not sim swappable because only my carrier knows my number. I don’t use the phone number of my SIM card for anything.

In fact I replace it every 90 days with a new one bought for cash (Mint prepaid) with a new number.

👤 ratg13
Some landline carriers allow text messaging.

So if you could find one that offered that, your best bet would be a landline + PIC freeze.

👤 Zetobal
Telekom in Germany but I also use a secondary sim that is only used for emergencies and 2FA.
👤 unstatusthequo
Efani