If only telcos would do this before swapping the sims!

That does not work for the paid bribed insider.

Plus due to the rampant data breaches, etc, nobody answers numbers they don't know anymore because they're usually scammers or robocallers. I'd say save the number for customer support in your contacts, but there's no knowing what number the actual dept or employee will call from. Then there's the fact that we sleep and do other activities where we have phone set to silent or can't be near our phone. That'd be a full time job just trying to catch that one call. Assuming they always use the "my phone was stolen" social engineering excuse, cell companies should require a police report first. Phones aren't cheap. For starters, best thing you can do use a service that limits it's SIM cards & doesn't do eSIM without getting their physical SIM first. Some service providers only sell their SIMs at one store chain, and that store won't sell them online. No matter what, you use this provider, someone's gotta go in person to buy the SIM where they'll be caught on surveillance cameras. It's a deterrent. There's also less data out their tying your identity to a pay as you go provider. They don't require SSNs or PID to activate a brand new SIM, and they do contact the prior service provider before they port that existing number. I recall it taking upwards of 3 hours dealing with CS when I switched to a pay as you go provider. I believe somebody tried to SIM swap me 2 days ago, because I got a text from customer service asking to rate their service or contact them if I need anything else. The text was legit, not phishing. So I immediately tried to login to my acct, but it kept giving an error that my acct was "invalid." Their site has become a nightmare, so it took a very long time to finally locate "forgot password" (it's not on login menu), which required me to 2FA from SMS several times to get there, and then again to select reset option. From there, they emailed a link to reset that expires in 10 min (wouldn't work with any DNS or browser ad/tracking blockers enabled), and yes, if your email's been hacked, this is extremely problematic, but they do continuously require SMS code authentication & I use an email proxy so no one can use that email address to login to the email itself. The site was buggy as hell, but I was finally able to change my password, pin, etc - and since I had to know my SIMs SN to activate, I saved it, and carrier showed my number's still on the same SIM. So, hacker waisted their time, and now my acct's on lockdown. In my case, I use a proxy email address that can't be used to login to the actual email acct. This "hidden" feature is avail free with free some email services, it's just not an advertised feature so you have to dig and it can't be an annoying process to set up. It's worth it given it helped me avoid a doomsday scenario when my extremely old email was compromised in multiple data breaches and there were tons of login attempts presumably to reset other acct passwords. I was able to keep the email without having to manually change email login on dozens of accts by creating a proxy email and swapping it to be primary, and then blocked logins from the compromised email address. For all important accts now, I use proxies for login and compartmentalize which email addresses I use for different security levels (i.e. banking, social media, cloud, personal, retailers, etc).

@@ShannonMorse Message in a bottle..., Ive been social enginered, in sweden (didnt know they had customer support in swedish) I got hit by roaming mantis, cosmicstrand, both UEFI / lojax full control and a variant of xhelper. They have access over my gmail, and I cant do anything. Ive even tried installing linux with n external USB, but they have UEFI access so didnt succeed. Im alone here, so if someone see this. Please help me! they have control over my number with simcard jacking introduced after getting full access on one phone. Everything since rented out my appartment and they didnt pay rent so i cut internet, then I can see in the loggs (afterwards) tried to get free internet from me. That open the backdoor on my huw awei router and now my asus laptop, zenfone 9 , my girlfriends mac and her iphone. They have supershell access to this computer, and i dont even no if this comment will end up and your place shannon . But IF it do, please help me! i have lost everything and have nothing, i cant even pay my re nt. All accounts down. Im just a teacher and have been sick for 3 weeks now trying to solve this. But its not possible. If you help me I will be one of your paying subscriber forever. I worked with IT a long time ago (2011) I have done everything I know, but cant stop it. They just gaind more access, now having it all. THese 3 weeks of h ell making all my devices rooted with different malwares. DNS rerout, cookie poison, server cookie poison, everything. My m 4li is 1 a t u r ld o t1 with the last numbrs being the numbr equalent to letters. please somebody, help.

Message in a bottle..., Ive been social enginered, in sweden (didnt know they had customer support in swedish) I got hit by roaming mantis, cosmicstrand, both UEFI / lojax full control and a variant of xhelper. They have access over my gmail, and I cant do anything. Ive even tried installing linux with n external USB, but they have UEFI access so didnt succeed. Im alone here, so if someone see this. Please help me! they have control over my number with simcard jacking introduced after getting full access on one phone. Everything since rented out my appartment and they didnt pay rent so i cut internet, then I can see in the loggs (afterwards) tried to get free internet from me. That open the backdoor on my huw awei router and now my asus laptop, zenfone 9 , my girlfriends mac and her iphone. They have supershell access to this computer, and i dont even no if this comment will end up and your place shannon . But IF it do, please help me! i have lost everything and have nothing, i cant even pay my re nt. All accounts down. Im just a teacher and have been sick for 3 weeks now trying to solve this. But its not possible. If you help me I will be one of your paying subscriber forever. I worked with IT a long time ago (2011) I have done everything I know, but cant stop it. They just gaind more access, now having it all. THese 3 weeks of h ell making all my devices rooted with different malwares. DNS rerout, cookie poison, server cookie poison, everything. My m 4li is 1 a t u r ld o t1 with the last numbrs being the numbr equalent to letters. please somebody, help.

Yes!!! This!!! I completely agree with you.

@@ShannonMorse With the increase in SIM swap fraud, people should also move away from OTP authentication and rather let them send the code request to a secure email. Another thing would be to use supplied security certificates on transactional devices which should remove the SIM swap problem.

More and more use prepaid phones. Your idea only works if you have a contract. Or if you can go into a store. Even then you have to have an 'account' most of the human race does not. I had a phone years ago. All I had to do was turn it on. I had a number.

@@jamesedwards3923 Where I am from, if you do not use the number for 3 months, it is gone. Secondly, all numbers in use must be on the "RICA" system. All numbers are connected to a SIM, a person and that person's address. Unfortuantely only one bank here requires physical presence when activating cellphone banking with a working and registered SIM and phone and during setup the client's phone setup, a form is signed and finger prints taken. A really secure setup. If client's phone or SIM changes, these steps will need to be repeated. Prepaid and contract are all registered.

@@JohanlastZa Wow, you are way more secure than most of us.

@Faye Cushnie Seems like you are also still stuck in the 70s

Exactly SSN's aren't even secure

Even a credit card’s card number by itself is more secure than a SSN because it has more digits.

considering fingerprint scanners are in every phone, I feel like that would be much more secure

You got it!

Absolutely! Happy to help!

@@ShannonMorse does encrypting your phone help?

You can solder with long nails, FYI.

Thank you!! I'd love to do more security and privacy videos!

Yes, please! Your 30 day challenge you did a year or two ago sparked my interest in the subject. I view everything differently now and am in a much better position after implementing as much of the suggestions as possible. Thank you for that! 🙏🏻

No problem 😊

Me too

@@dilshanmaduranga6669 Me three...

thank you!

You're likely fine as long as you use some of these tips and good internet hygiene!

Shannon Morse, I need to investigate the google phone tip for sure, and my replacing my mother’s maiden name with my favorite song phrase

@@garynagle3093 you commenting that you should change it to your favorite song lyric is now info that someone could use. Another tip: never talk about what your Security answer is or what its about.

Happy to help

Thanks!

I’m sure it’s happened to me mate

also only you would know some of them. Unfortunately people seem to be phasing them out.

@@camaroman101 Unfortunately.

The problem is you may not always to be able to get to your provider. Life is problematic.

If you can find it in their: Public Bills. Contract. Customer Service Call. Etc. You have a law suite.

Oh yes much more lawsuits cali. NM. TX. Yep

I have a yubikey and you can enable a password for some of the key's features. You can actually store the same type of 2fa time based TOTP codes that authy uses on the yubikey and use yubico authenticator to view the codes. For that you can protect it with a password. For Fido U2F, which is the method you would use to register the key with your Google, Facebook, Twitter, etc account. For that, I don't think you can protect the yubikey with an additional password. But keep in mind it's a second factor, so they would need your login username + password + physical posession of your yubikey to gain access to your accounts and if they could get all 3 of those things from you, then they could probably steal that additional password too. If you're gonna buy a yubikey, you should ALWAYS buy two and register both of them with all the same accounts so that if you were to lose possession of one of them, you would still be able to access everything.

Look up the FIDO standard. Answers all your questions.

Its more like they can start attacking so fast oncce they have the number they hope you take at least 15-30 mins to recover. That way they can exploit your email's SMS recovery or bank SMS recovery and by then theyre into all the important accounts of yours. If they lose the phone number after that its not a big deal because they already got the access and have changed passwords etc... Especially if you have crypto coins somehow linked thru emails that get compromised. It can be devastating. It isnt meant to be a long con. It's more like "swap it, now exploit as much as possible as fast as possible"

If you have account resets or password resets tied to your phone number, that can be used to bypass the original password. Because they would receive your text messages.

@@ShannonMorse okay, now I get it. Thanks.

For extra coolness, it’s connected to a red auto-dial phone. My family has a hotline to my cellphone.

and how do you get SMS thru your OBI cordless I wonder

The carrier has a default code. Google tells me that tmobile's default is 1234

Encrypt the files before you upload them. Problem more or less solved. VeraCrypt. PeaZip 7zip KeePass Password Safe

Which is why manual backups of data to the cloud is my preference. Whether you use a zero knowledge backup provider like spider oak. Or some other cloud service. If you encrypt the data with layers of encryption and multi factor efforts. The data should be reasonably secure. Encrypting a file in a simple encrypted file and then encrypting that file in another file. Is the easiest common sense approach. So even if an inside man compromises a cloud service and extract your encrypted file. They would have to attack all the layers of encryption. For example PeaZip allows for keyfile encryption. Typically most people do not use keyfiles for a zip file or a .7zip file. Which means a typical hacker will normally not account for that vector. Depending on the software applications. You can use key files or hardware keys. This is why you must actually sit and ponder how you are going to secure your data.

When I switch my sim or esim to a new phone, my old phone never shuts down. The ONLY thing that happens is the little icon at the top changes from showing me 5g to showing me wifi only. If someone doesn't notice that they'd have no clue their phone number was swapped.

Oh wow, That's hard to believe. Thanks the info@@ShannonMorse

Why is it hard to believe? I review phones and swap my sims in between them at least once a month. I've also don't over 2500 videos about sec/priv (my OG channel is called Hak5). I think I know what I'm talking about.

It does, but luckily there are tons of alternatives (my favorite being hardware keys, of course.). I get why they do it - it makes Authy more user-friendly because you can put it on multiple devices or reinstall it if you lose your device... but yes, that does still open up your Authy account to potential vulnerabilities in security. You CAN turn off "Multi-device" in the settings and you CAN add PIN and fingerprint protection to the app so even if someone sim swapped you, they'd still be locked out without your PIN. That's what I'd do if I switched phones a lot and used Authy.

Ostensibly, if you have a PIN set up and someone calls to change your sim to another card, they will have to give the correct PIN. BUT do not put any faith in pins, because carrier agents have the power to go around PINs, if the criminal can give enough of your personal information to convince the agent, then theyll void the PIN and swap the sim over. Best course of action is to simply give no power to someone who gains your phone number. No reocvery sms, no sms 2FA, nothing for any important accounts.

Oh a SIM PIN. I thought you meant a PIN on your phone company account.