T-Mobile has an account feature to prevent your mobile number from being stolen by SIM swappers, but it's a secret and it may not work all that well.
Reporter Lorenzo Franceschi-Bicchierai of Vice Motherboard, a longtime T-Mobile customer, uncovered the "NOPORT" feature after being tipped off about it. He called T-Mobile and had it added to his account.
In theory, having NOPORT on your account makes it so that if you want to move your number to another SIM card or another carrier, you have to physically walk into a T-Mobile store and present government-issued ID along with the phone.
But wait, you ask -- isn't that the standard procedure for moving your number to a new carrier or SIM card?
No, as a matter of fact. T-Mobile and AT&T normally let you port that number by simply calling customer service and convincing the tech-support rep on the other end of the line that you are in fact you.
T-Mobile and AT&T do have options whereby you can add a PIN or a passcode to the account to further verify your identity, but those aren't foolproof either. (Verizon and Sprint require everyone to have an account PIN to make account changes. )
So much bound up in 10 little digits
As you might imagine, this situation makes it rather easy for a scammer, especially one who knows things about you such as your street address, date of birth and full name, to steal your phone number.
The crook will then get text messages meant for you, which means he can abuse password-change requests and two-factor authentication to take over many of your online accounts.
SIM swapping has become quite a big problem in the past couple of years, especially among cryptocurrency traders and holders. Millions of dollars in Bitcoin and other currencies have been stolen by SIM swappers, and the Twitter account hijack suffered by Twitter CEO Jack Dorsey a couple of weeks ago may have also been the result of a SIM swap.
But wait, we're not done yet
So when Franceschi-Bicchierai had the T-Mobile tech-support rep add the NOPORT feature to his account, he thought he was finally better protected from SIM swappers -- or at least those without convincing fake IDs. (That won't always work, as earlier this year someone convinced reps at a T-Mobile store in New Jersey that he was in fact Franceschi-Bicchierai.)
He still couldn't get any official T-Mobile PR representatives to confirm the feature existed, though.
But after his story went live earlier today, Franceschi-Bicchierai said he was contacted by a fellow reporter who called T-Mobile support and asked to have NOPORT enabled on his or her account as well.
Lo and behold, that reporter (as yet unnamed) was told that NOPORT could be disabled if the port-out requester called T-Mobile customer support and told support reps the account holder's PIN, the last four digits of the account holder's Social Security number and one-time-use numerical code transmitted to the account holder's number via SMS.
No appearance at a T-Mobile physical store with photo ID would be required to suspend the feature that mandates an appearance at a T-Mobile physical store.
So what's the status of this all? We won't know until T-Mobile makes a statement. But we do see that even the watered-down version of NOPORT, with that special extra single-use code, is more secure than T-Mobile's optional port-validation feature.
Still, as Franceschi-Bicchierai notes, that still won't stop a determined attacker from just going from one T-Mobile store to the next until he or she finds a support rep who can't be bothered to check ID.