Advertisement
Tech by VICE

Verizon Makes SIM Swapping Hard. Why Doesn’t AT&T, Sprint, and T-Mobile?

Verizon employs different security procedures when porting a phone number to a different SIM card than the other carriers. This is making SIM swapping attacks harder to perform against Verizon customers.

by Lorenzo Franceschi-Bicchierai
Sep 19 2019, 2:19pm

Image: Patrick T. Fallon/Bloomberg via Getty Images

Last week, we revealed the existence of a little known feature that could make T-Mobile customers a bit more secure against the rising fraud known as SIM swapping.

The feature is called NOPORT, and it makes it a bit harder for criminals to steal the phone numbers of T-Mobile customers. This attack, also known as SIM hijacking or Port Out scam, allows criminals to take control of a victim’s phone number and then use that to reset their email password, banking account, and other important accounts that may be tied to that number.

As it turns out, Verizon has an even better solution: if your phone number gets activated on a different device, and on a different SIM card, the company shuts down service. To make this work, Verizon monitors what IMEI—a unique number that identifies a cellphone—is linked to your phone number. If the IMEI changes, Verizon cuts service until the customer verifies the change on their online account portal.

Do you work at Verizon or another wireless carrier? If you have any tips about SIM swapping or other hacks, using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

That’s what a Verizon customer support representative told a reader when they asked about NOPORT and what solutions the company had in place to protect customers from SIM swapping. Here’s the customer support explanation:

“We do not have NOPORT, but our network itself prevents this with our security procedures. Our network keeps in contact with your phone at all times, while verifying the IMEI of your phone and SIM card ID with your account information.”

“As soon as another SIM is reported to be connected to your number on our network, all service is stopped to both devices. To gain service connection again, the phone just needs to be restarted. However, when this happens our network will verify your phone's IMEI with your account, the other user will most likely try the same thing, but their phone will not work since their phone will not match the details on your account.”

It’s unclear whether Sprint, AT&T, and T-Mobile do the same kind of monitoring. None of the companies responded to our requests for comment.

A T-Mobile employee said that the carrier does not have a similar solution to that implemented by Verizon.

“When someone tries to change their SIM card, customers are required to receive a temporary PIN number to the primary cell phone number on the account. Once that has been verified then the new SIM card number can be processed into the system.” the employee, who asked to remain anonymous as they were not allowed to speak to the press, said. “This is to stop random people from taking over your phone number without your permission. An additional feature that T-Mobile did was they made it so that only cell phones can receive the temporary PIN number.”

Meanwhile, another T-Mobile employee who also spoke on condition of anonymity because they were not allowed to talk to the press explained why T-Mobile doesn’t advertise NOPORT.

“This feature isn't advertised or promoted because rules and regulations around [local number portability]LNP are in favor of the consumer being able to freely transfer their number to a new carrier," they said. "The ‘noport’ and ‘port freeze’ features interferes with that ability and therefore must only be adding upon verbal request. The carriers can't put a blanket freeze on every number because it would be against the FCC rules even if the reasoning is to protect against number hijacking/identity theft.”

Correction: a previous version of this story stated that Motherboard had verified the Verizon security feature by switching a SIM card to a different device, but that was not the right test to verify this feature.

Subscribe to our new cybersecurity podcast, CYBER.