Similar to https://www.zdnet.com/article/sim-swap-horror-story-ive-lost-decades-of-data-and-google-wont-lift-a-finger/ I also got SIM swapped. However this is after I had read that article and added a pin to my account.

As background information, I’m a computer programmer who has had T-Mobile for over a decade without any issues. I currently have a Pixel 2 with an old T-Mobile SIM card with latest updates. I use Yubi-U2F two factor wherever possible (T-mobile, when are you going to support this?), if not available then TOTP, and then as last resort SMS for when neither is available. There are unfortunately many sites that still only support SMS two factor so I do have a few accounts that send secret codes via SMS to my phone.

On February 2nd or so at home I noticed my phone didn’t have mobile access. Since I had Wi-Fi calling enabled and I was on my home Wi-Fi I figured it was some sort of networking issue. The next day at work I started getting more worried. I tried force connecting to the T-Mobile network and rebooting to no avail. As my local options had run out I then called t-mobile support. They asked me my ICCID number, and then informed me that the SIM assigned to my phone had been changed. I asked who changed it, why it was changed, and when, they couldn’t tell me. They then told me to rest assured that my phone had not been hacked. I found this preposterous and asked how they could say this, eventually they took this back. The support person then suggested I change my account password and pin. I went ahead and changed both assuming that somehow my PIN had become known as it was only four digits.

So here we are a couple weeks later and the SAME THING happens again. This time with my new 6 digit pin and account password. The new support person (who was actually really nice) again had no audit information available and could not tell me the who or why of the SIM change. The support person lets me know the process for changing the SIM on an account, it involves telling them the account PIN, and then them scanning some kind of 2D barcode, then sending a unique code to either your phone or email, and then having the account holder repeat this code back to the support agent. I never received any SMS notifications from T-Mobile on my phone nor any emails to the account associated with my T-Mobile account (my email account is protected via non-SMS two factor) so something is very suspicious. I asked if she could check where the bad SIM that got assigned to my phone had come from and she couldn’t tell me. She then suggests I change my PIN + account password. I decline because it didn’t help at all since last time. She states the only thing available to her at this point is sending the information to their fraud department. I agree.

So what are we left with with given these two interactions? We know that either T-Mobile has no auditing of changes to your SIM relationship or it’s not available to support agents. We know that most likely “the only way” to change your SIM is most likely incorrect, and that there is probably at least one other way to change this relationship without knowing the account PIN (bad DB table joins, some rogue CRON job, phone trying to swap to e-SIM?). We know that they do not treat this seriously as they were not worried about this at all on my first interaction and even tried to sell a potentially false narrative to make the customer feel better. End result is that THERE ARE NO GUARANTEES TO YOUR ACCOUNT SIM BEING SWAPPED. Irregardless of the steps you’ve taking to protect your account, it can happen at any time and for any reason and they can’t tell you why or how it happened.

For this reason I’m left with ZERO confidence of T-Mobile security. I’m out. Personally I’m switching to Google-Fi, to a company who I believe is a lot more dedicated to security. The most important thing a mobile company has is the relationship between phones and a SIM, the second the protections around that relationship (passwords, PINs, etc). Not only have they failed in the protection of the most primary of secrets, they also seemingly have no way of auditing how that can happen.

Apologies for any writing mistakes, medium ate my final draft and I have a 2yo hoving over me while I wrote this :)