SIM swapping

If you think that SIM swapping just means you putting a new SIM card into your phone, you should read this great article:

Sharp SIM-Swapping Spike Causes $68M in Losses | Threatpost

SIM swapping is a very real threat that, if executed against you, can result in the takeover of some of your Internet accounts.  And it's quite easy to execute.

Here are some addition suggestions beyond those in the article:

  1. Put a strong, unique password on your cellular account login. The article mentions "variation of unique passwords" but that's not secure.  You should be using long random passwords for all accounts and a password manager to manage those passwords.
  2. Call up your cellular carrier and tell them you want to place a special password on your account to block malicious porting (= SIM swapping) of your phone number.  Not all carriers will allow this.
  3. Alternatively, for more security but less convenience, call up your carrier and tell them not to allow any changes to your account unless you're physically present in one of the carrier's stores and a carrier employee verifies your ID.  Not all carriers will allow this.
  4. Even better, get a second, separate phone number for use only for account ownership, authentication, and 2FA.  Don't this use account to call anyone, and keep the number as private as possible. Google Voice is a great choice.  There are ways of getting a GV number if you live in Canada or another unsupported country.
  5. Put a PIN on your phone's SIM card. You do this from your phone's settings. This is actually to protect you in case your phone gets stolen, not to prevent SIM swapping. But the effect of a stolen phone -- and therefore stolen SIM card -- is essentially the same as that of SIM swapping: your accounts that use SMS for ownership, authentication, or 2FA can get taken over.
  6. Make sure you store the passwords/PINs mentioned above in your cloud-based password manager, and for resilience make sure you can access your password manager from all of your devices.  (This also applies, of course, to all your other account credentials.)