T-Mobile will be adding a new layer of security to its port-out process with the addition of a six-digit PIN, according to The T-Mo Report. The new number transfer procedure would reportedly require users to obtain a PIN from T-Mobile’s app or site and provide it when attempting to change their number to a different provider, which could make it harder for bad actors to steal people’s numbers.
According to The T-Mo Report, T-Mobile has announced the process internally but hasn’t rolled it out yet to customers. It’ll also reportedly only be available to postpaid customers to start, not including people signed up through the Lifeline program.
T-Mobile didn’t immediately respond to The Verge’s request to confirm these plans. The T-Mo Report cited an internal company document it said it had obtained.
It’s good to hear that T-Mobile may be adding this feature, as it could help prevent SIM-swapping attacks, where a scammer convinces a telecommunications provider to transfer a phone number into their control. As Android Police notes, Verizon and AT&T have already implemented number transfer PINs. While it might not prevent all SIM-swapping attacks (in theory, an attacker with a T-Mobile account and device wouldn’t have to go through the port-out process since the number would be staying in the same network), the PIN requirement can act as another line of defense in addition to T-Mobile’s existing account takeover protection tools.
SIM swap, or porting-out, attacks have seemingly become popular with cybercriminals in recent years and have been implicated in high-profile cases like when then-Twitter CEO Jack Dorsey’s Twitter account was hacked. They’re attractive for a few reasons: they provide a wealth of information (many two-factor codes are still sent through SMS), and it can be difficult for a victim to realize they’ve been attacked and recover from it. The Federal Communications Commission recommends immediately contacting your cell carrier if you suspect someone has swapped your SIM, but that can be difficult to do given that your phone will no longer be functional.
T-Mobile’s reputation for security has taken a few hits recently, as the company has been affected by a string of data breaches and cybersecurity incidents. While some have been relatively minor, one in August 2021 affected over 50 million people.
