sim swap customer enquiry (no, it has not happened to me...yet)

launton · ‎05-16-2024

Hi,

Sim swapping is on the increase and is used to bypass 2FA via text codes, and not all sites allow other, more secure authentications.

Can you tell me what protections 3 have in place to prevent sim swapping/hijacking?

After a recent identity theft via facebook, and financial losses, I want to make sure my mobile number cannot be unknowingly transferred if a third party gains my information and/or my account.

I want to feel comfortable with Three as my network provider. Can I add a codeword or pin to my account in the event someone attempts to inform you that I have lost my sim?

CS chat was unknowledgable about this query, thinking my handset had been stolen (which it hasn't), and was replying about PAC and PUK codes, this is not what I am asking.

Thanks for listening. Cheers

John

Anonymous · ‎05-16-2024

Can only tell you that my bank regularly send me Two factor authentication codes and I receive these without issue. I swapped over my faulty sim in the last month and I had to take my driving licence (the ONLY alternative to that would have been my passport) to a Three shop to obtain a replacement sim.I seem to remember having also to confirm my DOB and postcode. If I had ordered a replacement online it would only be sent to the address on my Three account,nowhere else and the existing sim automatically disconnects on the day the replacement is received without inserting the replacement into my phone. To be fair I think this is industry standard and Three are no better (or worse) than any other major telco.

launton · ‎05-17-2024

Thank you Paddiewack

I'd still like anyone from Three to answer my question, but for anyone who might be curious, here's why I am asking...

SIM swapping is an increasing problem in this country, it's rife in the US. Passkeys are to be implemented pretty much everywhere here in the coming months, and passwords will be phased out totally in about the next 3-5 years, we'll all hear about those in due course because text 2FA is, to be frank, useless and companies know this.

I see your reply and I completely agree however, in my instance the hackers gained access to my data at multiple levels to the point of accessing, paypal, ebay, emails, amazon, spotify, debit cards, credit cards, booking flats in Spain via AirBnb (and refunding the monies back to different card details) accessing login details for 254 sites over a 27 year online period. How? partly because they scraped 17 years of personal information from my hacked Facebook account, and used Facebooks' 'login with Facebook' option to gain access elsewhere, causing a chain of access and substantial financial loss. You might think I have poor passwords or security, but my passwords are all 25 mixed characters long, and I'm an ex IT admin. I was unlucky. Very.

Bypassing text 2FA is easy when you have the data. They ignored 2FA and accessed my accounts via other means (credential stuffing)

As an example for a phone carrier: once inside compromised (carrier) accounts (I have not had my Three account compromised) they can report handsets or sims stolen and they can change login details locking me out and get my number transferred to a replacement sim (or esim) and change my postal address because impersonating someone online/telephone is easy when you possess all the data, and I know how paranoid this sounds, but it's happened, and they cleared me out. For me, text 2FA is the weakest link in the chain (now I have become as digitally secure as possible in other aspects of my online life). Hypothetically, I would like a code word or spoken pin-number before any changes to my carrier service were even thought about, let alone implemented. I'll keep an eye on stuff. I won't be the last person this happens to. Good luck, don't get hacked and delete facebook 🤣

Anonymous · ‎05-17-2024

Best of luck.

PeteG · ‎05-18-2024

Hello.

I'm sorry to hear that something like that has happened to you.
Discussing the details of what protections are in place isn't something that's generally done, it would only serve as a way if informing potential attackers.

For example, something as seemingly innocuous as telling us how many characters your password has would inform an attacker that they do not need to attempt any password combinations that are anything other than 25 characters long. In this case, I don't think that would be an issue or something you need to worry about since you use so many characters, and a mix of characters, but for the same reason, it isn't wise for a business to detail the measures they take when securing customer accounts and personal information.

It's understandable that you want to take as many precautions as possible to protect your information and accounts, especially after what has happed to you in the past. It sounds like you're doing plenty on your own side, and hopefully this would be sufficient to help you avoid any other attacks like that.

Pete.

Three Community is celebrating our 2nd Birthday with a prize draw! join in here