Every carrier ultimately delegates access to store and call center staff that can remove any PIN, witches curse, or anything else they offer to add to your account. MVNOs are effectively riding on the same networks and if you phish a high enough level support person at the parent carrier they can be swapped as well.

https://9to5google.com/2023/01/31/google-fi-customer-hack-st...

T-Mobile is still the weakest link here. Google Fi appears to be just as vulnerable to a SIM swap attack as seen in that article.

Heck, up until the last year or two you could go to TracFone or any of their subsidiaries websites to refill/top up, type in a phone number on AT&T, Verizon or T-Mobile and get the IMEI and sim number of the line, then use that to authenticate yourself as the end user with T-Mobile. The other details like name, address, birth date and such are publicly available in state voter rolls for the vast majority of account holders.

US carriers need to provide fraud prevention APIs for free that indicate whether a phone number has changed SIM card or IMEI # in the last week, and they also need to provide free access to their LRN databases so you can see if the carrier of a phone number has changed (eg: a port out attack).

As is, some banks have implemented the LRN query check already to deregister you from Zelle and phone number authentication when you call or text them for banking, but this significant cost burden due to phone provider insecurity should be borne by the industry creating the security problem.

https://www.t-mobile.com/support/plans-features/account-take...

The document reveals that SIM card changes will now require either SMS verification from the customer or the credentials of two employees.

Unfortunately, most SIM swapping gangs these days are using stolen carrier credentials.

Store employees do not ask for the security pin or password on the account, even if it's notated that they should be asked for every time. Pretty much any account security notes like "Please email this address to request authorization for any account changes" get ignored by store reps.

T-Mobile's fraud team will tell you to file a police report about the incident, then they will ghost the police department and provide no details about what occurred, who was involved, where it happened and such. Without a subpoena you are SOL, about the only action you can take is filing a small claims court case against them and subpoenaing T-Mobile in the process. They do freak out when you send a friend to show up in Bellevue to serve the notice of said court case and the subpoena, but it's the only way to get them to acknowledge what happened and provide details so you can mitigate the compromise that occurred.

My reasoning is that it would not be trivial to guess the phone number from my account/name, and to guess my name from phone number (unless someone hacks into the bank's db, in which I'm in troubles anyways). Furthermore if someone was able to figure out that link, it would not be trivial to do SIM swap on Google Voice, it would not be trivial to attack the Google Voice app. Two or three stars have to line up for someone to sim-swap that GV number.

But some stupid bank go further to ban GV numbers. In which case I just don't bank with them.

Zelle, ACH, international wires, credit products like credit cards, home loans, personal loans, auto loans and such are all available through many credit unions, and they also reimburse ATM fees, often offer higher savings and checking account interest rates, and if your credit is poor or downright awful, they will often lend to you at a low interest rate when no bank or credit card provider would do so.

By the way, for anyone in my situation who wants to stay with Fi but not be signed in to a Google Account on their device, https://www.reddit.com/r/GoogleFi/comments/xzqd6v/what_does_... may be interesting.

One issue I see is getting deprioritized by not being a direct Verizon customer. I’ve had issues in small towns before due to this.

Second, high speed data is free globally roaming but is texting also? It says texting to 200 countries free but it implies from North America.

Safety Procedures Our security protocols use an 11-layer proprietary verification process, and no hacking attempt has ever passed beyond the third step: Any major change must be approved by multiple staff members and run through a rigorous manual process, including a notarized statement. A SIM swap can only go ahead after a 14-day cooling off period.

Meanwhile, Verizon has only kind of figured out VoLTE (and still has inbound call delivery issues) and is the most heavily loaded, slowest network in the US.

Most of these issues are area dependent, but there is a reason why AT&T held off for so long when offering their new internet air product for 5G home internet, and why Verizon is so hesitant to add network load with their home internet product, hence both of them being very selective of what address is qualify for this service.

In fact I replace it every 90 days with a new one bought for cash (Mint prepaid) with a new number.

For example, I cannot simply switch to a new water utility provider without moving out of the region. Someone’s mortgage could get sold to another bank with terrible security.

This is wholly impractical advice.

If they literally cannot function without a number, why do they need the phone number of the SIM you carry?

I have a phone with a SIM and cheap plan just for accounts associated with the building I sleep in. (Doordash et al would never get my address and any of my normal identifiers (email, phone, payment cards, etc) on the same records.) I call it the “house phone”.

I’m in the United States. My state does not have laws mandating MFA be available via any mechanism, and I’m not sure if any state does.

I do not get service if I do not provide my name, service address and some contact phone number. Maybe I could argue with a CSR for an hour to refuse to give it, but the time-value of this is ridiculous.

Secondly, if I want to turn on any form of MFA for access to my account, this phone number is then used to send codes by giving me a text. Unlike some services, receiving this code over voice is not possible. Email is not an option. My utility also has a skeleton phone support staff as they have been pushing everyone to online management, so opting to pay my bills only after I view them is now more difficult. Multiply this by a number of other services.

In the United States, the second constraint is not necessarily uncommon. Some services improve on this model by calling you with a MFA code or emailing you, but not all.

The difficult issue over the last few years are services tightening down access to which phone numbers you can even use for these services. Increasingly, services are restricting the use of VoIP numbers.

Lastly, merely giving my phone number out to friends and family is a risk to keeping total privacy. A large number of messaging services upload your full address book of names and numbers to the service. It only takes one person using one app for the potential mapping of your name to phone number to leak. I am not going to rotate phone numbers amongst family and friends every few months to avoid this because this would be an enormous use of time.

I’m glad you are able to make the scheme work but this isn’t a workable model everywhere.

People call me with apps, not with phone calls. You can sign in to apps with a number that isn’t the number of your SIM card.

Good for you but that is not practical advice.

So if you could find one that offered that, your best bet would be a landline + PIC freeze.