SHIELD

Identity and accounts

SIM swap: 4 hours to become you

How a 4-hour attack can compromise your complete identity, and why SMS as MFA factor is a systemic risk.

Published 15 min read Exposed

Last reviewed:

This version was translated with AI assistance and reviewed by a human.

Cadenas numérique sur fond de code

The call landed on a Tuesday afternoon. The attacker had the target’s full name, date of birth and billing address — all pulled from public sources in under an hour. He told the carrier rep he’d lost his phone at the airport, needed the line moved to a SIM he had on him for an urgent flight. Twenty minutes later the target’s phone dropped to “No Service” in a meeting; he assumed it was the building’s dead spot and didn’t look at it again until he was back at his desk an hour later. By then the primary email was gone, the password manager was being drained, and a six-figure transfer was clearing. He never typed a wrong password. He never clicked a malicious link. Somebody just convinced a stranger, on the phone, to hand them his phone number — and his phone number was the master key to everything else.

Angle de lecture

The usual trap

“SIM swap only happens to celebrities and crypto millionaires.” That’s the sentence I hear in nearly every room before I open a single file, and it’s wrong on two counts that matter operationally.

Wrong on the victim profile first. The cases that reach the press involve a footballer or a crypto whale because the loss is spectacular and the lawsuit is public. The cases I actually work are duller and far more numerous: a CFO whose corporate banking ran on SMS one-time codes, an M&A lawyer whose email was the single source of deal documents, a notary, a head of payroll, a founder six weeks from a funding round. None of them were famous. All of them had two things in common — money or sensitive access on one side, and a phone number protecting it on the other. If an attacker can guess that your number is the recovery path to something valuable, you are in scope. Fame has nothing to do with it; leverage does.

Wrong on the difficulty too. People picture a hacker breaking cryptography. There is no cryptography here. A SIM swapAttack where a fraudster convinces your carrier to port your number to their SIM. is social engineeringHuman manipulation to obtain information or actions, bypassing technical defenses. end to end: a phone call, three facts about you that are almost certainly public, and the nerve to lie to a minimum-wage support agent who is measured on call-handling time, not on fraud prevention. The technical bar is a burner phone and a script. That’s the uncomfortable part — the attack doesn’t require sophistication, which is exactly why the volume is so high and the prevention advice so often misses.

The dominant advice makes it worse by aiming at the wrong target. “Set a PIN with your carrier.” “Switch to eSIMIntegrated reprogrammable SIM card supporting multiple carrier profiles., it can’t be cloned.” Both are real measures and both are secondary. They try to make your phone number harder to steal. The actual fix is to make your phone number worthless to steal — because as long as that number can reset your email and approve your bank transfers, every hour you spend hardening the carrier is an hour spent reinforcing a door while the wall next to it stays open.

What actually happens, hour by hour

The attack is a chain, and like every chain it’s worth walking link by link, because each link is a place you can break it.

What the attacker needs to start. Full name, date of birth, billing or home address. In the files I see, those three are public or trivially cheap in roughly nine cases out of ten — LinkedIn and a company “About” page for the name and employer, public voter rolls or a data broker for the address, a birthday post or a “happy 40th” comment for the date. One hour of OSINTIntelligence from open (public) sources: social media, registries, archives. from a chair. Where a carrier asks for more — an account number, the last digits of a national ID, an answer to a security question — that’s a marketplace purchase from a breach dump or, again, harvested from social media. “Mother’s maiden name” and “first pet” are sitting in plain view on most family trees and old Facebook quizzes.

T+0, the call. The attacker dials the carrier. The pretext is rehearsed and almost always urgent-but-polite: phone lost or stolen, travelling tonight, a cracked screen, an “upgrade” that didn’t activate. Urgency short-circuits scrutiny; the agent wants to help the distressed customer and move to the next call.

T+20 minutes, the port. Convinced, the agent reassigns the number to the attacker’s SIM, or initiates a port-out to another carrier. Your handset drops to no signal. Theirs starts ringing with your calls and receiving your texts. This is the only externally visible moment of the entire attack, and it looks exactly like an ordinary network problem.

T+35 minutes, the email falls. The attacker hits “forgot password” on your primary mailbox. The reset code arrives as an SMS — on their SIM. New password set, mailbox owned. From here it is no longer your account in any meaningful sense.

T+50 minutes, the cascade. Your inbox is a directory of everything else you own. They walk it: bank, brokerage, password manager, cloud storage, work SSO, social accounts. Each “reset my password” lands either in the captured inbox or as another SMS to the captured number. Where a bank sends an SMS code to confirm a transfer, the attacker reads it in real time and approves their own theft.

T+2h to T+4h, extraction. Transfers, brokerage liquidation, document exfiltration from mail and cloud. If you’re more valuable than the attacker can monetise directly — a sitting executive, access to a live deal — they package and resell the access rather than burn it.

It is worth naming a separate, rarer vector that no customer-side measure touches: the insider. A meaningful share of high-value swaps — the published research and prosecutions put it somewhere around one in seven — involve a bribed or coerced carrier employee performing the reassignment from internal tools directly. PINs, verbal passwords and ID checks all live on the customer-facing layer. An insider operates beneath that layer and needs to convince no one. For most readers this is not the threat to plan around, but if you are a genuinely high-value target you should assume carrier-side controls can be bypassed entirely, and design as if your number will eventually be lost.

The right approach: make the number worthless, not unstealable

Here’s the shift that reorganises everything. Stop trying to guarantee your phone number can never be taken. You can raise the cost — and you should — but you cannot make it impossible, and the insider case proves it. Instead, engineer your accounts so that a successful swap hands the attacker a phone number and nothing else. If your email, bank and password manager don’t trust SMS for login or recovery, the stolen number is good for impersonating you in a phone call and little more. The attack chain breaks at link three, before it ever reaches your money.

Concretely, that means ranking your accounts by blast radius and pulling SMS out of the top tier first. The order is not arbitrary. Your primary email comes first because it is the recovery path for everything else — own the mailbox and you own the portfolio. Your bank and brokerage come next. Your password managerApplication storing and generating unique passwords for each service. comes with them, because it is the literal vault. For each of these, the migration target is, in order of preference: a FIDO2Strong authentication standard using hardware cryptographic keys, phishing-resistant. hardware key, then a local TOTP6-digit code generated every 30 seconds by an app (Google Authenticator, Authy, etc.). app that doesn’t sync to a third-party cloud, and SMS only where the service offers nothing else — in which case the account doesn’t belong in the top tier anyway. FIDO2Strong authentication standard using hardware cryptographic keys, phishing-resistant. matters here beyond SIM swap: it is the only factor that is structurally phishing-resistant, because the key cryptographically refuses to authenticate to a domain it wasn’t registered against. The passkeyConsumer FIDO2 implementation: auth key stored and synced by Apple/Google/Microsoft. you’ve been offered is the same FIDO2 machinery — just confirm, for your critical accounts, that it isn’t a passkey synced to a cloud account an attacker could compromise instead.

Then, and only then, harden the carrier — because friction still has value against the ordinary attacker who doesn’t have an insider. Set a port-out PIN or account passcode (the FCC pushed US carriers to make these standard; most carriers worldwide now offer some equivalent, usually buried in the account settings). Choose something non-guessable — not your birthday, not the last four of the number itself — and store it in your password manager. Understand precisely what it buys you: it stops the lazy attacker and forces the others to work harder or go through an insider. It does not stop a “forgotten PIN” recovery flow that falls back to — you guessed it — SMS or email, nor a convincing performance at a retail store with a fake ID. Treat the carrier PIN as a speed bump, not a wall. The wall is the SMS-free top tier.

There’s one more move for genuinely exposed profiles: a dedicated, never-published number for critical services. A second line — a separate eSIMIntegrated reprogrammable SIM card supporting multiple carrier profiles. or a low-cost second SIM — that exists only to back stop accounts that can’t go fully SMS-free, and appears nowhere. Not on LinkedIn, not in your signature, not on a single marketplace listing, never used for an actual call. A SIM swap targets the number an attacker can find. If the number tied to your last few SMS-dependent accounts is one no OSINTIntelligence from open (public) sources: social media, registries, archives. pass will surface, the attack has nothing to aim at.

What this means concretely

Angle de lecture

For you, as a person

Your phone number is quietly the recovery key to your bank and your email, and you’ve been told that’s “two-factor security.” This week, with essentially no budget, you can break the chain that makes a stolen number catastrophic.

  1. Pull SMS off your email and your bank. This is the single highest-leverage hour you’ll spend on personal security all year. Open your primary email’s security settings and your bank’s, and replace SMS two-factor with an authenticator app where offered — install Aegis (Android) or Ente Auth (iOS/Android), both free, both local — or a hardware key if you already own one. Keep the printed recovery codes somewhere offline before you flip the switch. Cost: zero.
  2. Set a port-out PIN with your carrier, and pick it properly. Log into your carrier account or call them, and set a number-transfer / port-out PIN or passcode. Not your date of birth, not the last digits of your phone number — something random, stored in your password manager. It won’t stop a determined attacker, but it stops the casual one and buys you time. Cost: zero.
  3. Make your number harder to find, and write a two-line panic plan. Remove your mobile number from your LinkedIn, your email signature, and any old marketplace or classified listings — every place it appears is a starting point for the dossier. Then write down, on paper or in a note synced to a device that isn’t your phone: “No signal + suspicious? (1) Call carrier from another phone, lock the line. (2) From another device, change email password first, then bank.” You do not want to be improvising that order at 2 a.m. Cost: zero.

For you, CISO / IT director / executive

1. SMS as an authentication factor on sensitive access is a documented, citable risk — treat it as one. NISTUS institute publishing reference cybersecurity standards (CSF, SP 800-*). SP 800-63B has discouraged SMS (“restricted” out-of-band) since 2017, and the FBI IC3 has issued formal warnings on the rising volume of swap-driven account takeovers. Direct consequence: you don’t need to win an internal debate on whether SMS is “good enough” — the standard already settled it. Any migration of privileged and finance-adjacent accounts to TOTP6-digit code generated every 30 seconds by an app (Google Authenticator, Authy, etc.). or, better, FIDO2Strong authentication standard using hardware cryptographic keys, phishing-resistant. is justifiable on paper as documented risk reduction, which makes it budget-defensible and audit-friendly.

2. Your highest-value humans are protected by your weakest carrier’s call centre, and you have zero visibility into it. The CFO’s number, the CEO’s number, payroll’s number — each is one convincing phone call away from being someone else’s, and your EDRAgent on workstations/servers detecting suspicious behavior and enabling response. and SIEM see none of that conversation. Direct consequence: the controls that matter sit outside your perimeter. You harden by removing the dependency — mandate FIDO2 for executives, finance and IT admins; ban SMS recovery on corporate email and banking; and treat the personal phone number of a key executive as an organisational asset to be de-listed from public sources, not a private matter.

3. Build the response runbook before you need it, because the incident starts with an executive who thinks their phone is just glitching. The detection signal — “no service” — is indistinguishable from a network fault to the victim, so your mean time to detect is dominated by human recognition, not tooling. Direct consequence: a one-page, pre-distributed runbook (who calls the carrier and from what number, who locks email and banking, who notifies the fraud desk, in what order) collapses the window between compromise and containment. Pair it with a standing relationship and an escalation contact at each carrier for your key personnel, so the lock request doesn’t sit in the ordinary queue.

Mistakes we see all the time

  • SMS two-factor on the primary email. The single most common and most fatal combination. Email is the recovery key to everything; protecting it with the one factor a SIM swap defeats is the whole vulnerability in one decision.
  • Believing the carrier PIN is the fix. It raises the cost for a casual attacker and changes nothing about the underlying problem — the number still resets your accounts, and the PIN itself usually has an SMS-or-email recovery path behind it.
  • Reading “no signal” as a network problem for three hours. The one moment the attack is visible, wasted. People assume an outage, finish the meeting, land the flight — and the cascade runs the whole time. If your phone loses service and you have any reason to be a target, treat it as an alarm, not an annoyance.
  • No written response plan. Deciding the order of operations under stress, at night, while Googling your carrier’s fraud number, guarantees you’ll do it slowly and in the wrong order. The plan must be one page, written in advance, and reachable from a device that is not the phone being attacked.
  • A phone number plastered everywhere. On LinkedIn, in the email signature, on an old Marketplace listing, in a conference bio — each instance is a free pivot point for the dossier. Visibility of the number is itself part of the attack surface.
  • Trusting eSIM as protection on its own. eSIM removes physical cloning and adds a little friction. It does nothing against the actual attack — talking a support agent into porting the line works identically on an eSIM.

Actionable checklist

  • N1 List every critical account that uses SMS for login or for account recovery (email, bank, brokerage, password manager, work SSO)
  • N1 Remove SMS as a factor and as a recovery path on your primary email and your bank first
  • N1 Confirm your phone losing signal is treated as a possible attack signal, not a network glitch
  • N2 Set a port-out / number-transfer PIN with your carrier, non-guessable, stored in your password manager
  • N2 Migrate critical accounts to local TOTP (Aegis on Android, Ente Auth on iOS/Android) with offline recovery codes printed first
  • N2 Remove your mobile number from public profiles, signatures and old marketplace listings
  • N2 Write a one-page SIM-swap response plan and store it on a device that is not your primary phone
  • N3 Deploy FIDO2 hardware keys (two of them) on primary email and password manager, with both registered at activation
  • N3 Set up a dedicated, never-published number or eSIM for any account that cannot go SMS-free
  • N3 For organisations: measure the percentage of privileged accounts still reachable by SMS, and run a tabletop on time-to-line-lock

Further reading

The structuring references are in this article’s frontmatter. For the mechanics and the carrier failure rates, Krebs on Security’s long-running SIM-swap coverage and the Princeton empirical study of US carriers are the field benchmarks; the FBI IC3 advisory and the FCC’s port-out fraud guidance give you the official framing to cite internally. For the case against SMS as an authentication factor, NIST SP 800-63B is the document to put in front of anyone who still wants to argue.

To go deeper on the factors that actually replace SMS, read MFA: why your Google Authenticator app is letting you down and YubiKey and FIDO2. To understand why your email is the real prize behind the number, Your email is your passport. And to see how the pre-attack dossier gets built — and how to shrink it — Defensive OSINT and Identity compartmentation.

Sources and further reading

Related articles