As reported by Motherboard, T-Mobile has a feature that protects its customers from SIM swapping attacks, called “NOPORT”. This feature is activated upon the client's request, but as it is not advertised or included in the company’s service detailing web-pages, almost no one knows about it. This means that no one is asking T-Mobile to activate it for them, and thus they stay vulnerable to SIM swapping attacks. This type of attacks has become very popular lately, targeting mainly cryptocurrency owners, but not being limited to them.
Motherboard got to know about the “NOPORT” after a reader’s tip, and called T-Mobile to ask them about it. While the carrier didn’t offer further details about how the feature works and how effective it is against SIM swappers, it looks like the NOPORT feature requires customers to visit a real T-Mobile store for the port to take place. There, the rightful owner must demonstrate their photo ID in order for the number to be ported on a new SIM card or another carrier. This makes it a lot harder for malicious actors to port the victim’s number onto their own SIM card, as this would require them stealing more details to craft counterfeit IDs.
The protection feature that T-Mobile is actually promoting is the “port-validation” system, which requires the customer to set a unique PIN or passcode that will be used for the porting. When someone tries to port the number to another card or carrier, the customer will be required to provide this code for the change to take place. This is very different to NOPORT though, as it doesn’t require the physical presence of the customer on an actual shop. Moreover, if the customer is using the same PIN or pass elsewhere, the SIM swapping actors could have gotten their hands to it.
Our opinion on the matter is that whatever protection measure you can activate you should do it immediately. That is especially the case if you have a valid reason to fear targeting from SIM swapping actors. If you are a T-Mobile customer, call them right away and ask to activate NOPORT. If for any reason you’re not eligible for this service, at least set a PIN for the “port-validation” system. If you own cryptocurrencies, you'd be better off using a hardware wallet, a verification USB key, and a secret email address for 2FA.
Did you know about the “NOPORT”? Have you asked your carrier about it? Let us know of their response in the comments down below, or on our socials, on Facebook and Twitter.