Your phone just lost signal. Not the spotty-bar-in-a-parking-garage kind. Full dead. Meanwhile, someone three states over is draining your checking account using a phone that now receives your text messages, your two-factor codes, your password reset links. Everything.
This isn’t some dystopian hypothetical. It’s happening thousands of times a year, to ordinary people, and the numbers are getting worse fast.
We recently published a full technical deep dive into how we secure accounts at US Mobile, covering the architecture, the tradeoffs, and the engineering behind features like Enhanced Security, passkeys, and BreachShield. But we kept hearing the same follow-up: “Okay, but what are these attacks you keep building against? How do they actually work?”
Fair enough. Let’s get into the threats themselves, with real numbers, real-world examples from inside and outside the telecom industry, and the frameworks that matter.
SIM Swap Fraud: The One That Wiped £300 Million Off a Retailer’s Market Cap
You’ve probably heard the term. Maybe you picture some hacker in a hoodie doing something complicated with circuit boards. The reality is painfully simpler than that.
A SIM swap happens when an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. Sometimes they do this by sweet-talking a customer service rep with stolen personal details (your birthday is on your Instagram, by the way). Sometimes they straight-up bribe a store employee. Reports suggest insider bribes run around $300 per swap. That’s it. Three hundred bucks to potentially steal someone’s entire financial life.
As we described in our security deep dive, your phone number isn’t just a phone line. It’s the master key to basically everything else in your digital life. Banking 2FA codes, account recovery flows, social media verifications. If someone hijacks your number, they’re stealing the keys to your entire online identity.
The numbers tell the story
The FBI’s Internet Crime Complaint Center (IC3) logged 982 SIM swap complaints in 2024 tied to roughly $26 million in direct losses. Sounds almost manageable until you realize that most SIM swaps get categorized under broader fraud types like investment scams or business email compromise. The real number? Almost certainly much higher.
Over in the UK, Cifas reported a jaw-dropping 1,055% increase in unauthorized SIM swaps, jumping from 289 cases in 2023 to nearly 3,000 in 2024. Australia saw a 240% spike in SIM porting fraud, with 90% of those attacks happening without the victim even being contacted first.
When it goes corporate
Here’s where it gets properly scary. In early 2025, a hacking collective called Scattered Spider used SIM swapping to breach Marks & Spencer, one of the UK’s biggest retailers. They hijacked an employee’s mobile number, used it to manipulate internal IT helpdesk procedures, reset credentials, and eventually deployed ransomware that encrypted the company’s VMware servers. The fallout? Online orders suspended for 46 days. Roughly £300 million in lost profit. Over £700 million wiped from their stock market value.
One phone number. That’s all it took to bring a 65,000-employee company to its knees.
One analysis called it “a textbook case of supply chain identity compromise, where attackers bypass perimeter defenses by exploiting trust and privilege in the authentication chain.” The attackers didn’t break in. They were let in. And here’s the thing that haunts us: it worked because the security protections relied on humans following protocol. There was no backend enforcement preventing the helpdesk from resetting those credentials.
That’s exactly the kind of failure our Enhanced Security architecture was designed to eliminate. When protection flags are active, the corresponding operations are blocked at the backend level. Our support team can’t override them either. The verified account holder has to disable the toggle through re-authentication first. We call it “default deny,” and it’s the same principle hardware wallets use in crypto. The safest default is the most restrictive one.
And if you’re in crypto specifically, you already know the stakes. The T-Mobile $33 million arbitration award in March 2025 stemmed from a single SIM swap that enabled the theft of approximately $38 million in cryptocurrency from one person. The arbitrator found that T-Mobile’s weak authentication essentially “enabled the theft.” Those are the kinds of words that make legal teams lose sleep.
Outside the industry: a real estate nightmare
Think SIM swap fraud is just a tech-world problem? Imagine you’re closing on a house. Title company emails wiring instructions. Your realtor confirms over text. Except the attacker who swapped your SIM three hours ago intercepted both the text confirmation AND the two-factor code your bank sent when you initiated the wire. $400,000, gone before you even realize your phone went quiet. Real estate wire fraud powered by phone number hijacking has been flagged by the FBI as one of the fastest-growing categories of cyber-enabled theft. Nobody thinks it’ll happen to them during what should be the most exciting purchase of their lives.
How to Protect Your Phone Number from SIM Swap Fraud
There’s no single magic button that makes you SIM-swap-proof. But stacking these steps together makes you a significantly harder target, and attackers overwhelmingly go for low-hanging fruit.
Enable backend-enforced SIM swap and port-out protection
This is the single most important step, and most people don’t know it exists. If your carrier offers protection that’s enforced at the system level (not just through support agent protocols), turn it on immediately. US Mobile’s Enhanced Security provides four granular protection flags at the line level: SIM swap protection, network transfer protection, port-out protection, and usage log protection. Each one blocks the corresponding operation at the backend. Even support agents can’t override them. The protection can only be disabled by the verified account holder through re-authentication.
The design philosophy matters here. Instead of trying to determine in real time whether a SIM swap request is legit (which is really, really hard to do perfectly, especially when social engineering is involved), the system just makes it impossible until you explicitly say otherwise
Set a PIN or passcode on your carrier account
Call your mobile carrier or walk into a store and request a unique PIN or passcode on your account. This PIN gets required before any SIM changes or port-out requests go through. Choose something unrelated to your birthday, address, or anything someone could pull from your Facebook profile. AT&T, T-Mobile, and Verizon all offer this, though they don’t always advertise it loudly.
Switch from SMS 2FA to passkeys or authenticator apps
This takes a bit of time, but it’s the single most impactful authentication change you can make. Go through every account that uses SMS for two-factor authentication and switch to an authenticator app (Google Authenticator, Authy, Duo) or, even better, a FIDO2 passkey.
Why passkeys specifically? As we explained in our technical deep dive, when you register a passkey, your device generates a public/private key pair. The private key lives in your device’s secure hardware (Secure Enclave on iPhone, TPM on most other hardware) and literally never leaves. The credential is cryptographically bound to the specific domain, so even a pixel-perfect phishing clone of a login page can’t trick it. There’s nothing to phish, nothing to intercept, nothing to replay, nothing to stuff.
NIST has flagged SMS authentication risks since 2016. The industry has just been slow to catch up.
Tighten your recovery paths, don’t just add layers
Here’s something most people miss. Your account’s security is only as strong as its weakest recovery path, not just the primary method you log in with. If you’ve got a passkey set up but keep SMS as a backup recovery option, an attacker who compromises your phone number still has a way in through that backup.
Where possible, remove your phone number from account recovery flows on critical accounts, especially your primary email. Your email is the skeleton key to everything. Use backup codes stored in a safe place, a secondary email, or app-based recovery instead. As our security team puts it: tighten the chain, don’t just add links to it.
Check if your credentials have already been compromised
Use Have I Been Pwned to check whether your email and passwords have appeared in known data breaches. If they have, change those passwords immediately and never reuse them across sites.
Some carriers go further. US Mobile’s BreachShield continuously monitors dark web data dumps and known breach datasets. When matching credentials are found, the account gets locked immediately until the password is changed, and the event gets logged in the fraud management engine for risk scoring. They’re even working on blocking compromised passwords at registration time, rejecting passwords that have already appeared in known breaches before an account is created.
Minimize your personal information footprint online
Audit your social media profiles and hide or remove your phone number, date of birth, and home address. These are literally the details attackers use to pass carrier identity checks. Check data broker sites like Whitepages, Spokeo, and BeenVerified and opt out. It’s annoying, grunt-work stuff. But attackers piece together identities from exactly these public crumbs.
Port-Out Hijacking: SIM Swapping’s Sneakier Cousin
Port-out hijacking operates on the same principle as SIM swapping but with a twist that makes it arguably harder to catch. Instead of swapping your SIM within the same carrier, the attacker ports your number out to a completely different provider.
Think about what that means. With a SIM swap, your carrier at least has some record that a change was requested on your account. With a port-out, your number just… leaves. It moves to a carrier that has no relationship with you and no baseline to compare against.
The FCC has acknowledged this is a significant problem. Their consumer alerts describe how scammers gather personal information from social media, data breaches, and the dark web, then use it to impersonate legitimate port-out requests. Phone companies have safeguards, sure, but those safeguards tend to rely on PINs and security questions. The same PINs and security questions that were probably exposed in one of the forty-seven data breaches your information has been caught up in.
What the regulators are doing
In November 2023, the FCC adopted Report and Order 23-95, which specifically targets both SIM swap and port-out fraud. The rules require wireless carriers to use secure authentication methods before processing SIM changes or port-out requests, and they mandate immediate customer notification when these requests happen.
That’s a meaningful step. But here’s the thing: the FCC deliberately avoided mandating specific authentication methods, giving carriers flexibility to choose their own approaches. They even considered requiring compliance with NIST Digital Identity Guidelines but ultimately decided against it, worried that locking in specific methods might discourage innovation.
The result is a patchwork. Some carriers are doing genuinely good work. Others are still relying on knowledge-based authentication, which, if we’re being honest, hasn’t been “knowledge-based” since the Equifax breach put half of America’s Social Security numbers on the open market.
How we handle it differently
US Mobile’s port-out protection takes a more aggressive stance. When the port-out protection flag is active under Enhanced Security, port-outs are blocked at the backend. Period. Right now, disabling that protection to do a legitimate port requires toggling the flag off (through re-authentication), but we’re actively building a dedicated self-service port-out flow. The idea is that you’ll be able to authorize a specific port-out through enhanced verification without having to fully disable line protection. The backend will handle one-time authentication for the port, then automatically restore protection once it completes.
We’re also building automated notifications that fire both when a port-out request is initiated and when it completes. The initiation notification will include a fraud report link. Click it, and we instantly apply security flags across the line and all linked numbers, blocking the port-out before validation completes. There’s a mandatory delay built into the validation pipeline for exactly this reason, to give you breathing room.
The eSIM wrinkle
You might think eSIM technology solves this problem since there’s no physical card to steal. And physically, yes, eSIMs are safer. But for remote attacks where an attacker tricks your carrier? An eSIM offers zero extra protection. The vulnerability lives in the carrier’s authentication process, not the SIM format. Some reports actually show eSIM technology has compressed attack timelines because numbers can be transferred digitally via QR codes. UK reports of eSIM-related fraud rose from 18 in 2022 to 763 in 2024. That’s not a great trend.
Credential Stuffing: The Boring Attack That Might Be the Most Dangerous
Nobody writes breathless headlines about credential stuffing. There’s no dramatic phone call, no insider bribery, no clever social manipulation. It’s just… math. Ugly, relentless math.
Here’s how it works: attackers take massive lists of username/password combinations from old data breaches (remember that LinkedIn breach? The Adobe breach? That random forum you signed up for in 2014?) and they systematically try those credentials against other services. Banks, email providers, streaming platforms, SaaS tools, carrier accounts, literally anything with a login page.
The whole thing is automated. Tools like OpenBullet and SilverBullet, which were originally built for penetration testing, now power industrial-scale account takeover operations. Attackers load up “combolists” (structured files of email:password pairs, cleaned and categorized), rotate through residential proxies to avoid detection, and let the bots run. If even 0.1% of credentials work, that’s thousands of compromised accounts from a single campaign.
The scale is staggering
Verizon’s 2025 Data Breach Investigations Report found that compromised credentials were the initial access vector in 22% of all confirmed breaches, making it the most common way in for the third consecutive year. Their extended analysis revealed that credential stuffing accounted for 19% of all authentication attempts at the organizations they studied. Nearly one in five login attempts at a typical organization is an attacker trying stolen passwords.
Check Point reported a 160% surge in compromised credentials in 2025, with 14,000 cases of exposed employee credentials in a single month. The fuel for all this? Infostealer malware has absolutely exploded, silently harvesting saved passwords, session cookies, and autofill data from browsers. Verizon found that only 49% of a user’s passwords across different services are distinct. Half your passwords are shared. That’s why combolists work.
Real-world damage that made headlines
In late March 2025, coordinated credential stuffing attacks hit five major Australian retirement funds simultaneously: AustralianSuper, Rest Super, Hostplus, Australian Retirement Trust, and Insignia Financial. Members of AustralianSuper lost a combined AUD $500,000, and roughly 8,000 Rest Super members had personal data accessed. Retirement savings. Gone. Because people used the same password for their pension fund that they used for some random shopping site.
The North Face website got hit in April 2025 too. Customer accounts were breached using previously leaked credentials, exposing names, emails, shipping addresses, phone numbers, and purchase history. It was actually the fourth credential stuffing incident affecting VF Corporation brands since 2020. Fourth time.
Beyond tech: how this hits everyday people
A compromised Amazon account sells for about $30 on dark web forums. Financial accounts like PayPal or Western Union go for $30 to $120 depending on the balance. These are established commodity markets with going rates. Your accounts have a literal price tag attached to them, and credential stuffing is how attackers check which ones are unlocked.
Why we built BreachShield
This is exactly the problem BreachShield was built to solve. The reality, uncomfortable as it is, is that people reuse passwords. A breach at some completely unrelated service, a food delivery app you used twice in 2019, a gaming forum from college, can put your carrier account at risk if you used the same credentials.
BreachShield continuously monitors dark web data dumps and known breach datasets. When it finds credentials associated with a US Mobile user’s email, the account gets locked immediately until the password is changed. The user gets an email explaining exactly what happened. The event gets logged in our fraud management engine for risk scoring.
And no, we still don’t see your password during this process. We match cryptographic hashes. When a breached dataset contains a password whose hash matches the salted reference we have stored, that’s the trigger. Plaintext never enters the picture. Ever.
We’re expanding this to block compromised passwords at registration time too, so if you try to sign up with a password already in a known breach, we reject it before you even create the account. That closes a pretty obvious gap most carriers don’t bother with.
We also run the same system on our own employees, through automated alerts when any employee’s credentials appear in breach data. Because a compromised employee account is potentially way more dangerous than a compromised customer account. We’d be hypocrites if we didn’t eat our own cooking.
How to Protect Your Organization from Credential Stuffing Attacks
If you run a business with any kind of login page (so, basically every business), this one’s for you. The good news is that credential stuffing is one of the more predictable attack patterns, which means the defenses are well-documented and genuinely effective when actually implemented.
Step 1: Deploy phishing-resistant multi-factor authentication
Implement FIDO2/WebAuthn passkeys or hardware security keys wherever possible. Avoid SMS or email codes, which can be intercepted. Google’s enterprise move to passkeys over SMS is the template here. Prioritize MFA for admin accounts, VPN access, email, and anything touching financial data or customer information. Some organizations have found creative ways to boost adoption, like Riot Games, which rewards users who enable 2FA.
Step 2: Screen credentials against known breach databases
Integrate breach detection into your authentication flow. The OWASP Credential Stuffing Prevention Cheat Sheet recommends checking submitted passwords against known breach datasets at both account creation and login. If a user tries to sign up with a password that already lives in a combolist somewhere, just don’t let them. US Mobile’s BreachShield approach shows how this works without ever touching plaintext passwords: match hashes against salted references, then automatically lock affected accounts and notify users.
Step 3: Build device fingerprinting and behavioral analysis
Go beyond IP-based blocking. US Mobile’s security engineering team describes their approach as building “a multi-signal behavioral signature” from device and session characteristics. If a login suddenly looks nothing like the user’s established pattern, that session gets flagged and extra verification kicks in. This is crucial because modern credential stuffing tools rotate residential proxies specifically to evade IP-based defenses. Fingerprinting catches what IP blocking misses.
Step 4: Implement bot detection and rate limiting
Deploy CAPTCHA, browser fingerprinting, and JavaScript interaction checks on login pages. Implement rate limiting on authentication endpoints. Consider invisible proof-of-work challenges that bots hate but humans never see. OWASP’s architecture recommendations are the gold standard reference here.
Step 5: Build a centralized fraud scoring engine
Don’t treat each signal in isolation. Aggregate failed logins, 2FA failures, breach matches, device anomalies, transaction velocity, and behavioral patterns into a centralized risk scoring system. Score each event holistically and either automatically block high-risk actions or escalate for human review. Monitor transaction velocity specifically, because legitimate users rarely swap their SIM, change devices, update their plan, and reset their password all within the same 10-minute window.
Step 6: Continuously hunt for leaked credentials
Subscribe to threat intelligence feeds monitoring dark web markets, Telegram channels, and cracking forums. Check Point found that leaked credentials in GitHub repositories take an average of 94 days to remediate. Ninety-four days. Proactive monitoring shrinks that window. And run the same monitoring on your employees’ credentials that you run for customers. We do this at US Mobile, and honestly, every company should.
Social Engineering Against Support Agents: The Human Exploit
Here’s the uncomfortable truth that no amount of encryption can fix: if someone calls your support line, pretends to be a customer convincingly enough, and your agent hands over account access, then your entire security architecture might as well not exist.
Social engineering targeting help desks and support agents has become arguably the most potent initial access technique in the attacker playbook. Research shows that social engineering attacks made up 36% of all intrusions from May 2024 to May 2025, surpassing both malware and exploits as the top breach method. Not the second most common. THE most common.
How Scattered Spider pulled it off at M&S
The Marks & Spencer attack isn’t just a SIM swap story. It’s the definitive social engineering case study of the decade. The attackers called the IT helpdesk. They had enough personal information about real employees (gathered from previous breaches and social media) to sound completely legitimate. Combined with the SIM-swapped phone numbers giving them control over two-factor codes, they convinced helpdesk staff to reset credentials. From there they stole the Active Directory database, cracked password hashes, and moved laterally until they deployed ransomware across VMware servers.
The attackers didn’t break in. They were let in. Because the security protections relied on humans following protocol instead of being enforced at the system level.
AI is making this exponentially worse
Cheap voice-cloning tools and AI-generated call scripts have turbocharged social engineering. An attacker doesn’t need to be a gifted impersonator anymore. They just need a few seconds of audio from a conference talk or a YouTube video and the right software. Feedzai’s 2025 report found that 44% of global financial services professionals say criminals are already using deepfakes, and deepfake-related fraud reports surged 1,740% between 2022 and 2023 according to World Economic Forum data.
A Hong Kong financial firm lost $25 million after an employee was deceived by a deepfake video call that appeared to show multiple senior executives instructing a funds transfer. Multiple executives. On a video call. All fake. That’s not science fiction, that’s a Tuesday in 2025.
The numbers behind the human element
The FBI’s IC3 estimated more than $13.6 billion stolen in 2024 through cyber-enabled fraud, with social engineering threading through a massive chunk of those losses. Without security awareness training, roughly 34.3% of employees will click malicious links or comply with fraudulent requests. But here’s the hopeful part: organizations that implement training see phishing risk drop over 40% in just 90 days and up to 86% within a year. Training works. You just actually have to do it.
How to Defend Your Company’s Help Desk Against Social Engineering Attacks
This is probably the most important how-to section in this entire post. Your firewall, your encryption, your intrusion detection system, none of it matters if an attacker can just call your help desk and talk their way in.
Step 1: Build systems where agents physically cannot override security protections
This is the single most important architectural decision you can make. If your security protections depend on support agents following protocol, you’ve already lost. Humans get tricked. That’s what social engineering IS.
US Mobile’s approach with Enhanced Security demonstrates the right pattern: when protection flags are active, the corresponding operations (SIM swaps, port-outs, network transfers, usage log access) are blocked at the backend level. Support agents can’t override them. To perform any of these operations, the verified account holder first disables the relevant toggle through re-authentication, completes the operation, and turns it back on. The human vulnerability is removed from the equation entirely.
Step 2: Make verification links action-bound, not session-bound
Ensure that any verification issued during support interactions is tied to a specific action. US Mobile’s agent verification protocols require device-level and account-based verification links tied to specific operations. A verification link issued for a SIM swap can’t be reused for a port-out. This prevents attackers from leveraging one successful social engineering interaction to cascade into multiple account changes.
Step 3: Require multi-channel confirmation for sensitive account changes
For high-privilege modifications, require verification through at least two independent channels. Phone request? Confirm via pre-registered email. Email request? Confirm via hardware token. This breaks the attack chain when an attacker controls only a single communication channel (like a SIM-swapped phone).
Step 4: Train staff with realistic social engineering simulations
Run regular phishing and vishing simulations that mirror real techniques, including AI-generated deepfake scenarios. 44% of financial services professionals report criminals already using deepfakes. Organizations that invest in ongoing training see massive improvements. The ones that do annual checkbox training? Not so much.
Step 5: Kill knowledge-based authentication for high-risk operations
Stop verifying identity with dates of birth, mother’s maiden name, last four of SSN, or recent payment details. The FCC explicitly ruled these are not secure authentication methods for SIM changes, and the same logic applies to your internal help desk. Use cryptographic verification tied to devices, biometrics, or hardware tokens. Implement re-authentication layers so that being logged in doesn’t automatically grant permission to make high-risk changes.
Step 6: Monitor transaction velocity and audit everything
Track how quickly changes are made to accounts. Legitimate users don’t swap their SIM, change their device, update their plan, and reset their password within the same 10-minute window. That pattern screams compromise. Log every sensitive operation with timestamps, who did it, and what changed. Implement role-based access control so not every employee can touch sensitive operations. Build escalation procedures triggered by anomalous velocity patterns.
The Uncomfortable Bottom Line
None of these attacks are particularly sophisticated. That’s what makes them so effective. SIM swaps exploit carrier support processes. Port-outs exploit number portability rules. Credential stuffing exploits password reuse. Social engineering exploits human trust.
The defenses exist. The frameworks are published. The FCC has rules. OWASP has cheat sheets. NIST has guidelines. The GSMA runs industry-wide intelligence sharing programs.
Every security feature we build must directly counter a genuine, documented threat. If a feature doesn’t address a real-world risk, it’s unnecessary security theater, making users jump through hoops that feel safe but don’t actually stop anyone with bad intentions. That philosophy is why we built Enhanced Security with default-deny enforcement at the backend. Why we monitor breach datasets with BreachShield. Why we shipped passkeys built on FIDO2. Why we score every interaction through a fraud engine that’s never done learning.
Because right now, a $300 bribe and a phone call is all it takes to hijack someone’s number. And that should probably make everyone a little uncomfortable.
If you want to see the full technical breakdown of how we’ve built against every threat in this post, read the deep dive here.
Frequently Asked Questions
What is SIM swap fraud and how does it work?
SIM swap fraud happens when an attacker convinces your mobile carrier to move your phone number to a SIM card they control. They pull this off by social-engineering customer service reps using personal details stolen from breaches, or by paying off carrier store employees. Once your number is transferred, they intercept your calls, texts, and two-factor codes, giving them access to bank accounts, email, crypto wallets, basically anything tied to your phone number. The FBI tracked 982 complaints with $26 million in losses in 2024, while the UK saw a 1,055% surge in cases.
How can I stop a SIM swap from happening to me?
The strongest protection is a carrier that enforces SIM swap blocks at the backend level, not through agent protocols that can be social-engineered around. US Mobile’s Enhanced Security blocks SIM swaps, port-outs, and network transfers at the system level, and even support agents can’t override it. Beyond that: set a PIN on your carrier account, switch from SMS-based 2FA to passkeys or authenticator apps, remove your phone number from sensitive account recovery flows, and check if your credentials have been exposed at Have I Been Pwned.
What is port-out hijacking and how is it different from SIM swapping?
Same basic concept, different execution. Instead of swapping your SIM within the same carrier, the attacker ports your entire number to a different mobile provider. It’s sneakier because your number completely leaves your original carrier, making it harder to detect and reverse. The FCC’s Report and Order 23-95 requires carriers to authenticate customers and send notifications for port-out requests, but enforcement remains inconsistent.
How do credential stuffing attacks work?
Attackers grab huge lists of stolen username/password pairs from old data breaches and use automated tools to try those combinations against other websites. Since people reuse passwords constantly (Verizon found only 49% are unique across services), even a tiny success rate yields thousands of compromised accounts. According to Verizon’s 2025 DBIR, stolen credentials were the #1 initial access method, responsible for 22% of all confirmed breaches.
What is BreachShield and how does dark web credential monitoring work?
BreachShield is US Mobile’s credential monitoring system that continuously scans dark web data dumps and known breach datasets. When it finds credentials associated with a user’s email, the account gets locked immediately until the password is changed. The system never sees plaintext passwords; it matches cryptographic hashes against salted references. US Mobile also runs the same monitoring on employee credentials, and is expanding the feature to block compromised passwords at registration time.
How can I tell if I’ve been SIM swapped?
The biggest giveaway is a sudden, complete loss of phone signal when people around you on the same network are fine. Your phone might show “No Service” or “SOS Only.” Other signs include texts that won’t send, calls going straight to voicemail, and receiving notifications about password resets or new device logins you didn’t request. Some eSIM-based attacks happen in under 5 minutes, so if anything feels off, call your carrier immediately from a different phone.
Is SMS-based two-factor authentication safe?
Not really. NIST has been raising red flags since 2016. SIM swaps, port-out fraud, and even cheap SMS rerouting services can all intercept those codes. FIDO2 passkeys are the safest option: the credential is cryptographically bound to the legitimate domain, so even a perfect phishing clone won’t work because the passkey checks the domain before signing anything. Hardware security keys and authenticator apps are the next best options. SMS should be your last resort.
What are passkeys and why are they more secure than passwords?
Passkeys are built on the FIDO2/WebAuthn standard and use public/private key cryptography. Your device generates a key pair; the private key stays in your device’s secure hardware and never leaves. The credential is bound to the specific domain. As US Mobile’s security team explains it: even if the most skeptical user would be fooled by a phishing page, the machine won’t be. There’s nothing to phish, intercept, replay, or stuff. Passkeys are supported on iOS 16+, Android 9+, macOS Ventura, Windows 10+, and ChromeOS 109+.
What is the “default deny” approach to telecom security?
Default deny means that sensitive operations (SIM swaps, port-outs, network transfers) are blocked by default at the system level, and can only be performed when the verified account holder explicitly enables them. US Mobile’s Enhanced Security uses this approach with four granular flags at the line level. Instead of trying to catch fraud in real time (which is extremely hard when social engineering is involved), the system simply makes the operation impossible until the owner says otherwise. It’s the same principle hardware crypto wallets use.
Can eSIM technology prevent SIM swap attacks?
Physically yes, since there’s no card to steal. Remotely? Not at all. The vulnerability is in the carrier’s verification process, not the SIM format. eSIM has actually made things worse in some ways because numbers can be transferred digitally via QR code, compressing attack timelines. UK eSIM fraud reports jumped from 18 in 2022 to 763 in 2024.
What did the FCC do about SIM swap and port-out fraud?
The FCC adopted Report and Order 23-95 in November 2023, requiring carriers to authenticate customers before processing SIM swaps or port-outs, immediately notify customers of such requests, and maintain tracking data for three years. They deliberately avoided mandating specific methods, which gives carriers flexibility but creates uneven protection across the industry. The FCC ruled that biographical and account information are not considered secure authentication for these operations.
How do social engineering attacks target support agents?
Attackers call help desks impersonating customers or employees, using stolen personal details to sound legitimate. AI voice cloning and deepfake tech have made this dramatically easier. In the M&S breach, attackers combined SIM-swapped phone numbers with social engineering to trick IT helpdesk staff into resetting credentials, enabling a ransomware attack that cost roughly £300 million. The most effective defense is building systems where support agents structurally cannot override security protections, removing the human vulnerability entirely.

Leave a Comment