SIM swapping or “SIMjacking” is a nasty type of a phone number takeover attack that is done for purposes of bypassing the SMS-based two-factor authentication step that is protecting an account. Fraudsters are calling the target’s telecom provider and try to trick the agent into porting the requested number to their SIM card, presenting some stolen identification details to convince them of their identity. In some cases, they collaborate with the agent who is knowingly engaging in the illegal act, and receives a generous reward from the scammers. Verizon has recently introduced a new feature that will hopefully make SIM swaps harder, calling it “Number Lock”.
https://twitter.com/verizon/status/1275127270152306688
Telecom providers have been offering half-baked solutions to their customers thus far, so seeing something like “Number Lock” is very important, even though it isn’t absolutely perfect or safe. The feature is available through the Verizon mobile application, allowing the users to just switch the slider to the “locked” position for the phone number they want. Even if a scammer calls the Verizon customer support service and asks for a number port, and even if the representative is bribed and willing to do it, the user’s setting will stop the process as there’s no way to override it. Or is there?
All mobile apps and online services have a back-end, and there are always users (telco employees) who have access to that back-end's dashboard. So, the scammers would just have to bribe someone who is working on a higher level, and they could change the target's setting to the “unlocked” position. Of course, this is not as simple as it sounds, and companies keep login logs for back-end access, etc. Even then, someone could use stolen credentials to perform the trick. Remember, SIM swappers are going after big money like crypto wallets that hold millions of USD, so the motive for everyone involved is strong.
We cannot deny that Verizon has just made a move in the right direction, but using SMS-based 2FA should still be considered relatively unsafe. If you have valuable online accounts, protect them with an authenticating USB stick, or use an authenticator app instead. If you have no other option than to receive one-time-passwords via SMS, use a phone number that nobody else knows and don’t share it online for any reason. If hackers don’t know which number to target, they have no way of porting anything onto their blank cards.