Where I live you need a copy of your passport to port a number, in addition the new sim can only be sent to your government registered address, I think that would be quite hard to game.
Even so, hackers can still use SS7 to hijack phone numbers.
Ah, I guess I forgot about that. Yeah, you either need to intercept the new SIM sent to the original customer, or defeat the identification procedure. That adds quite the hurdle compared to countries that have no such requirements.
at least in germany ordering new sim cards to new addresses your provider never heard of before was a thing some years ago. I think porting a number is a lot easier if you know the detailed process though.
I cannot do it in my country without physically going to some office and showing my passport. Doesn’t feel “temporary” to me.
SIM cloning is a thing. S7 hacking is a thing. Phone numbers are _insecure_ as IDs, as simple as that. Signal’s insistence to use nothing but phone numbers is somewhat suspicious these days.
(Both major competitors in secure messaging, Wire and Theeema, allow pseudonymous temporary IDs in addition to phone numbers).
You can port your phone number to a voip provider if you will be out of the country for a while. Use a sip phone app, and the "transport layer" sim that you happen to use will have nothing to do with the phone number that is intermingled with your identity.
Most of these so called Social Engineering of your Sim happens in US. In most other places, your are required some form of proof before you can get or alter any of your personal information as well as Sim card.
> Well in theory in countries where you can go into a shop and buy a SIM card cash yes, but in a lot of countries you have to give your ID
another huge problem with using phone numbers as IDs, which software developers in the US/Canada often don't think about, is that in many developing nation environments there is no such thing as local number portability, or the ability to move your phone number between any of the major national-scale mobile phone network operators or VoIP providers as you wish.
As you can do in the USA if you become unsatisfied with your Tmobile service and want to move to ATT, keeping your phone number. This is one of the reasons why dual (and even triple) SIM phones are so popular outside of North America.
In a lot of countries I don't see number portability in the SS7/PSTN system ever becoming a political reality, due to regulatory capture on the part of the national telecom regulator. At least not before pure IP based communications and apps make the concept of a PSTN phone number irrelevant entirely.
SIM jacking is pretty easy. In Australia if you know someone’s mobile number and date of birth you can port a prepaid mobile. For postpaid accounts all you need is a bill.
The barrier is higher than random automated port scans but the value of being able to get access to financial accounts is high enough to justify the investment.
I use Authenticator apps wherever I can. Where I can’t, I use a completely private number for 2fa (I run a virtual number product that is like Google voice for Australians to do so http://www.benkophone.com)
This is great news. Now maybe they'll have the resources to ditch your phone number as your identity. Traveling overseas is really frustrating when you get a new sim card and your Signal identity changes.
A few months back I lost my phone, so I went to my operator with passport to get new sim with my old number (in Thailand) . She said the sim isn't actually in my name but my ex-girlfriend's, and I told I remember I took the sim with her id as I didn't carry my passport with me, so I guess there's nothing I can do.
She just replied well we could change the sim to your name, didn't even check with the original owner and 5 minutes later I was on my way with new sim.
Though that wouldn't solve the privacy problem, since there are many privacy hostile countries in where you're required to verify your identity to buy a sim card.
Namely that physical SIMs are an excellent security feature, provided carriers aren’t cavalier about managing them.
Nowadays US carriers put up a few more hurdles here and there after some highly publicized issues, but it’s still bonkers that I can ultimately just read off the ICCID of a card in my possession and get a number ported to it.
Most European carriers don’t allow you to bring your own SIM and will instead only link numbers to SIMs issued to the customer by themselves.
That in and of itself would make things safer, but, and this practice varies from carrier to carrier and country to country, often times they require in-person pickup with ID check or courier delivery with ID scan.
Although there are also plenty that just send it to the address on file.
And that's a near best case scenario in the US, UK, etc. In most of Europe and many other countries, you have to officially register a SIM card with an ID/residence document to use it.
This seems more of an problem when living in the USA than an SMS problem. I'm in Germany and there is no way someone gets a new SIM card without someone checking the persons personal ID.
Even in countries where you can still buy a SIM card without ID, once you use your bank card to buy more credit for the SIM (and in Sweden you always will, because cash is basically dead there), it is trivial for the authorities to link the phone number to your real identity.
You can in most countries as far as i know. But in my example i quit my account (so made it prepaid essentially) and lost the SIM card, which means i lost my account forever. Now it waits for the simcard to invalidate and then will most likely sell the number again. It was a "easy number" (as in people remember that number after telling them once) so i assume it will be resold rather fast.
But just because you can does not mean people want that. Before it became normal to auth everywhere with phone numbers i happily changed my number yearly.
My number is tied to my government issued ID. If I lose the SIM card I can get another one simply by showing my ID. If my ID gets stolen I can get another one by visiting the Police and so on.
The point is - I have some kind of an enforceable legal right to that number, whereas I currently have no such right to any particular account (and such rights can't be practically enforced for physical objects such as devices)
Even so, hackers can still use SS7 to hijack phone numbers.
reply