Sim card swap scam

First thing you can prevent this by having account level PIN which you can do on T-Mobile as well. This prevents anyone from porting your number. I believe the zdnet editor didn't have this and also had pretty weak passwords just because he had 2fa via SMS.

I have seen this many times especially on T-Mobile sub reddit. After that from more than a year back now I believe T-Mobile started the account level pin where you need to provide that to have any account change or port out. Obviously if some keeps their birthday as that pin or 1234 then it ain't doing much

Kind of understandable if common man doesn't know about some of the secure practices but was surprised to see lot of tech bloggers didn't use password managers and use unique randomized password for every website along with 2nd factor authentication.
 
First thing you can prevent this by having account level PIN which you can do on T-Mobile as well. This prevents anyone from porting your number. I believe the zdnet editor didn't have this and also had pretty weak passwords just because he had 2fa via SMS.
Yeah I agree, plus not sharing date of birth or phone numbers with soc media , which I don't.
 
I use the built-in eSIM with my Pixel 3 XL. The eSIM is electronically identified with the phone and cannot be used separately from the phone. I've also used LastPass password manager for many years. I'm not concerned.
 
Last edited:
I have heard of this before and was terrified, but I took the lock down advice and I feel a little better. This reminds me of the old phone cloning from the early days of cell phones, but far less complicated so a dumber criminal can pull this off.
 
Here is my question....in the article, the author wrote about an example from another journalist from ZDNet, that TMO had sent a text saying if that change wasn't correct, to call 611. He said that since TMO took his cell service, that wasn't possible. I was under the impression that 611 would go through no matter what; similar to 911.
 
Here is my question....in the article, the author wrote about an example from another journalist from ZDNet, that TMO had sent a text saying if that change wasn't correct, to call 611. He said that since TMO took his cell service, that wasn't possible. I was under the impression that 611 would go through no matter what; similar to 911.
Similarly, is it even possible for his legit phone to get that notification if the service was already stolen?

In any case, I'd had an account level PIN on Verizon for years, plus take other precautions.
 
Here is my question....in the article, the author wrote about an example from another journalist from ZDNet, that TMO had sent a text saying if that change wasn't correct, to call 611. He said that since TMO took his cell service, that wasn't possible. I was under the impression that 611 would go through no matter what; similar to 911.
Not sure never tried it without service
Similarly, is it even possible for his legit phone to get that notification if the service was already stolen?

In any case, I'd had an account level PIN on Verizon for years, plus take other precautions.
Maybe they change something , you would receive a notification.
 
And, among his entire family, they had only one phone? These days, that's like not having an email address.

BTW, mustang7757, thanks for the thread. Something to keep my eye on. (And I'm going to have to find out if my MVNO can somehow use my eSIM.)
 
I use the built-in eSIM with my Pixel 3 XL. The eSIM is electronically identified with the phone and cannot be used separately from the phone. I've also used LastPass password manager for many years. I'm not concerned.

Aren't you still vulnerable to a social engineered attack where a thief could contact your provider and convince them that "you" want to start using a physical SIM? Or does the eSIM make this impossible?

I'm thinking of making the switch to Fi and going with an eSIM.

Also, I was giving T-Mobile a try a year or so ago and the default PIN they used were the last 4 digits of my SSN, IIRC. I requested that be changed and was told multiple times that it couldn't be done. Accurate or not, the response I got to my requests were enough of a concern to drop them after one month.
 
Aren't you still vulnerable to a social engineered attack where a thief could contact your provider and convince them that "you" want to start using a physical SIM? Or does the eSIM make this impossible?
I contacted Fi to be sure of my answer. If someone wanted to change my eSIM to a physical SIM, they would not only have to have my Fi password (long, complicated, and kept in LastPass), they would also have to have actual physical access to my phone that contains the eSIM. In other words, it is impossible for a thief to hijack my Fi eSIM and gain access to my account.

Edit:
I should add that in order to gain access to my LastPass account, they would not only have to have my LastPass password (a long and complicated phrase that only I would know), since I use two factor authentication, they would also have to have my fingerprint.
 
Last edited:
I contacted Fi to be sure of my answer. If someone wanted to change my eSIM to a physical SIM, the would not only have to have my Fi password (long, complicated, and kept in LastPass), they would also have to have actual physical access to my phone that contains the eSIM. In other words, it is impossible for a thief to hijack my Fi eSIM and gain access to my account.
Don't make these hackers hard at work to figure it out lol, just say yeah it easy to obtain so they go to the next thing
 
Also, I was giving T-Mobile a try a year or so ago and the default PIN they used were the last 4 digits of my SSN, IIRC. I requested that be changed and was told multiple times that it couldn't be done. Accurate or not, the response I got to my requests were enough of a concern to drop them after one month.


Mine isn't my last four of my social. Whoever told you that was incorrect.
 
I had never heard of this.

I just chatted with T-Mobile about it and this is what they told me.

Hey there XXXXX, thanks for reaching out to your friendly neighborhood T-Force for assistance. Here at T-Mobile your account security and privacy are our #1 priority and I want you to know that we're always on your side to ensure you're well protected. To avoid situations like this, we have 3 main lines of defense available to you to ensure you rest easy knowing your account is secure. First off is obviously your T-Mobile account passcode. This 6 to 15 digit security passcode prevents anyone, without you actively sharing it with them and authorizing them, from making any kind of changes in your account. It's always a good rule of thumb to make it good for you to remember, but hard to guess. After that, and the most relevant for us here in social media, is correctly setting your My T-Mobile online line permissions and creating a strong password for your online account. Only lines with Primary Account Holder and Full permissions are allowed to make changes like these, and owners of those lines and onlines account must make sure to set strong passwords to avoid any brute force attempts to access your information. And third but definitely no less important, we always require the person asking for a SIM change to verify a One Time PIN before making changes. This can be delivered to either the line in question or the email attached to the account, all according to the permissions you have set. Without verifying this OTP, there's no way we're able to change your SIM and you must visit one of our T-Mobile stores with your identification to do so.

Together, these three methods provide us with the means to protect your account and ensure you're always aware of all the comings and goings of your account. Pretty good, right?
 

Forum statistics

Threads
955,059
Messages
6,963,629
Members
3,163,185
Latest member
lzfoster