clock menu more-arrow no yes

Filed under:

T-Mobile is adding PIN protection to its port-out process

New, 7 comments

Another line of defense against SIM swapping

There may soon be an extra step when switching carriers.
Illustration by Alex Castro / The Verge

T-Mobile will be adding a new layer of security to its port-out process with the addition of a PIN, according to the company. According to The T-Mo Report, which obtained an internal document, the new number transfer procedure would require users to obtain a six-digit PIN from T-Mobile’s app or site and provide it when attempting to change their number to a different provider, which could make it harder for bad actors to steal phone numbers in “SIM swapping” attacks.

In a statement to The Verge, T-Mobile Media Relations confirmed the company is “putting Number Transfer PINs in place to add an additional layer of security to protect customers from unauthorized port outs. These PINs will be put in place soon.”

According to The T-Mo Report, the process will only be available to postpaid customers to start, not including people signed up through the Lifeline program.

It’s good to hear that T-Mobile may be adding this feature, as it could help prevent SIM-swapping attacks, where a scammer convinces a telecommunications provider to transfer a phone number into their control. As Android Police notes, Verizon and AT&T have already implemented number transfer PINs. While it might not prevent all SIM-swapping attacks (in theory, an attacker with a T-Mobile account and device wouldn’t have to go through the port-out process since the number would be staying in the same network), the PIN requirement can act as another line of defense in addition to T-Mobile’s existing account takeover protection tools.

SIM swap, or porting-out, attacks have seemingly become popular with cybercriminals in recent years and have been implicated in high-profile cases like when then-Twitter CEO Jack Dorsey’s Twitter account was hacked. They’re attractive for a few reasons: they provide a wealth of information (many two-factor codes are still sent through SMS), and it can be difficult for a victim to realize they’ve been attacked and recover from it. The Federal Communications Commission recommends immediately contacting your cell carrier if you suspect someone has swapped your SIM, but that can be difficult to do given that your phone will no longer be functional.

T-Mobile’s reputation for security has taken a few hits recently, as the company has been affected by a string of data breaches and cybersecurity incidents. While some have been relatively minor, one in August 2021 affected over 50 million people.

Update March 17th, 6:55PM ET: Added confirmation and statement from T-Mobile.