T-Mobile has a feature that gives its customers more protection from hackers trying to steal their phone number, but you probably don't know it exists because the company doesn't advertise it publicly and won't even talk about it.
It’s called “NOPORT” and, in theory, it makes it a bit harder for criminals to hijack phone numbers with an attack known as “SIM swapping,” a type of social engineering that Motherboard has covered extensively and which is increasingly being used to steal people's phone numbers.
SIM swapping attackers usually trick wireless providers into giving them control of a target’s phone number by impersonating the victim with a company’s customer support representatives—usually on a phone call. T-Mobile's NOPORT feature makes this harder by requiring customers to physically come to a store and present a photo ID in order to request their number to be ported out to a different carrier or a new SIM card. In theory, this should make it impossible for someone to do a SIM swap (also known as SIM hijacking or port-out scam) over the phone.
But it’s unclear whether all T-Mobile customers can have NOPORT or how effective it really is. T-Mobile doesn't even inform customers that it exists. I learned about it from a tipster, and then confirmed that it is indeed real.
I was able to activate the feature on my own T-Mobile account by calling customer service and asking for it to be put on the account, but the company has declined to answer specific questions about the feature.
Do you work at T-Mobile or another wireless carrier? If you have any tips about SIM swapping or other hacks, using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com.
Thousands of people have been victims of SIM swapping over the last few years. It’s happened to Twitter’s CEO Jack Dorsey, countless celebrities, and less famous people. It’s a years-old hack that’s used all over the world, and has become more common as criminals realized it’s a great way to hack into the digital wallets of people with a lot of Bitcoin or other cryptocurrency.
The bad news is that while SIM swapping relies on relatively simple techniques—tricking customer support reps into believing you’re somebody else, or bribing them to believe it—there’s not that much you can do about it. Ultimately, wireless carriers are responsible for preventing these kind of attacks by offering customers more secure ways to authenticate themselves.
“Port Validation” is a feature that's advertised on T-Mobile's website and that all T-Mobile customers can enable on their accounts, but it is not NOPORT. Port Validation requires customers to set a unique PIN or passcode (either via phone or via the official T-Mobile website) that company customer support representatives will be required to check when making changes to the account, such as when porting a number to a different carrier.
NOPORT appears to be a special feature that T-Mobile can enable in certain cases. Sasha Fleyshman, a cryptocurrency investor, said that T-Mobile offered to enable the NOPORT feature on his account when it got hacked.
As regular readers may know, I have a bit of a history with T-Mobile, my personal “uncarrier.” So I called customer support and asked what I could do to avoid SIM swapping attacks. The person on the phone very nicely explained that I already had port validation enabled.
Then, I asked if I could have the “NOPORT” feature. To my surprise, the representative said that, indeed, I could. She explained that this is a special feature that makes it impossible to port out your number to another carrier unless the account holder visits a store and allows a T-Mobile representative to check a government issued photo ID.
NOPORT is not documented on any T-Mobile websites, and when I asked a company spokesperson about it, she said: “As you know, port validation is a standard security feature applied to all T-Mobile accounts through the use of a PIN/passcode. We do take other security measures, at our discretion, to protect against extreme cases of fraud. I am not able to go into other detail.”
NOPORT adds another extra layer of security, although it’s not a silver bullet, as criminals could use fake IDs, for example. It’s also unclear who exactly is allowed to have it. And, for now, T-Mobile doesn’t want to talk about it.
An AT&T spokesperson said that "we confirm a customer’s identity before account changes can be made," and pointed us to the company's page on SIM swapping.
A Sprint spokesperson said that "for at risk accounts, our Fraud Management team can apply increased account protection against fraud and identify theft. This system feature is called Security Plus and when it is activated, the Security Bypass option cannot be used."
Verizon did not immediately answer an email asking whether they offer a similar feature.
Subscribe to our new cybersecurity podcast, CYBER.