malicious sim swapping

Elvira77 · ‎03-04-2024

What measures EE takes to prevent malicious sim swapping when hackers pretend to be customers aiming to breach the 2FA mechanism?

I tried to ask the company directly, but there is no suitable category to ask in writing, only to call or send a letter. I find it strange that you cannot chat with or email a representative. I am a new customer to EE.

loobyloo5 · ‎02-09-2024

This happened to me also but with Three though weirdly number was moved to EE. Three were just as if not more useless than EE so I've closed my account with them and moved here, I'm hoping EE can provide me with a more secure set up that someone cannot, within 3 hours, make my life a nightmare.

Elvira77 · ‎09-01-2025

Hello,

This is a follow up on my query, if anyone is around to address this.

The hacks and scams are getting ever more elaborated, with massive data leaks and AI collating data from various resources to get a better picture of the victims, before the final hit.

All those details mentioned here look as good, but only until you find the weakest point. Like 24 hours for swapping. I personally don't use my device all the time, like some people cannot pull their eyes off the screen. There are weekends when I don't touch the phone. 24 hours won't protect me. I should be no slave to the phone to keep checking it every few hours.

Characters of password: if my cookie sessions were stolen, passwords won't protect me. Even password manager had a data leak in the not so distant past.

One way of securing the SIM against malicious swapping would be locking it with additional pin code that is noted nowhere else. It is a simple number, not a super secure password I would need to access somewhere else first to give you particular characters, and when I am out and about, that would be impossible as I don't interlink all my data across all my devices. I isolate certain things to have a better control.

With spoofing being ever easier these days, it is not too difficult to make your phone look like you are the actual owner of the number, to the provider, so another not so guaranteed security measure busted.

My question is: is there a chance to lock the sim card in the operator's accounts (not just locally in my phone), to prevent unauthorised swap? I think Americans have it. Do we have it too, in the UK? Then the only weakest link would be your own databases, if this detail got breached. Nobody is immune against attack.

NW69 · ‎09-01-2025

James B and Chris G … you should both be aware that EE’s CS team advised me that EE cannot stop a number port once it is in train.

One of you advised that … “Not to mention that you should also receive a text if this was to happen. Thats when you call customer services ASAP as number ports take up to 24 hours to complete so you do have time to call. Any text about a a potential number port. i.e. it will probably start with ‘sorry to see you’re leaving’ should be a call to customer services ASAP.

I called CS team as soon as I got one of those texts (I could not have reacted any quicker - within a minute !!!) - and EE CS team did nothing to stop the port (or could do nothing to stop the port.)

For a claimed industry-leading operator, EE are still very much on the backfoot here. The only positive thing I can say is that EE seem gradually to be rolling out 2FA at last.

Elvira77 · ‎09-01-2025

So since my lengthy comment disappeared today, here we go again.

I keep learning about weaknesses in cyber security and I am getting more concerns. Some suggestions here are not robust enough. There are continuous and widespread data breaches, our data of all sorts pouring to the dark web (forget data brokers, they are toddlers in comparison to this), and AI collates the data to get a more complex picture about the victims before the final hit.

1. making sure that only the call from the relevant number is taken seriously by the EE team is not sufficient as numbers can be easily spoofed these days. Besides, if you lost your phone and got a new one, this option is redundant.

2. as mentioned earlier, all the passwords, last 4 digits of bank account or any other info asked during the checking - all these data can be harvested by malware and who knows what your operator needs, they can easily provide everything. These scams are getting more elaborate than ever before. Me tailoring my CVs to particular positions also led to repeated success instead of just throwing a generic CV around like a spam.

3. even a password manager got a leak in the recent past, so that also can be breached, let alone passwords saved in the browsers. There was a fake google authenticator app in the wild recently and also over 30 google extensions were injected with a malicious code, extracting data from browser of over 2 million people (that is known of).

I could go on and on. Just assume your data is already there and it is just a matter of time before you will be a target.

What I see viable in addition to all these options is a separate pin code, easily remembered, set up in the operator's accounts, (not the one in the phone to lock the sim). That one will only be vulnerable if the operator's database got breached. If you ask me for particular characters of my complex password, which got leaked, that won't help, and if I am in a hurry, I would need to access my other device first to see what the password was. That is hard to do when I am away from that device. I isolate my devices and data on them, not having everything linked with everything.

Is there anything of this sort in EE, a special code that prevents anyone from using all other leaked data to target individuals' account?

Peter_W · ‎09-01-2025

Good afternoon @Elvira77.

Welcome back to the EE Community, and thanks for your suggestions here to.

This isn't an option we offer at present, but I'd like to reassure you that we recognise security around SIM swaps is massively important.

If you need a replacement for a lost or stolen SIM, this can only be sent to the address registered on your account, and is sent pre-activated.

The alternative here would be to visit one of our retail stores with a form of valid photo ID.

If a customer has an inactive SIM, for example if they need a new size SIM, as well as completing standard account security we also send out a one time PIN to the existing SIM linked with your number.

If the customer can't confirm this to us, we will not activate the SIM, and they would need to look at the lost and stolen option for a replacement instead.

Peter

Elvira77 · ‎09-01-2025

Thanks for such a speedy response.

I still have questions (that pesky inquisitive mind of mine):

You wrote: "If you need a replacement for a lost or stolen SIM, this can only be sent to the address registered on your account, and is sent pre-activated."
If someone is after me, they might intercept this letter and get a full access to an already activated sim card. Is it really that safe? Is the original sim card deactivated before this replacement is sent out so at least I would have some time to figure out something is going on? If lost or stolen, I would expect this to be a logical chain of events. But then there is a delay when one cannot access accounts for a number of days. So either this card is sent as a priority with the next day delivery, or second class that it takes a few days, there are pros and cons to both.

"The alternative here would be to visit one of our retail stores with a form of valid photo ID." fakes are pretty good these days, so even this can be misused several different ways. And even if you had my photo id with facial algorithm stored in your database (which you don't) for verification purposes, even if it could be a viable option for the majority of people, some individuals after an accident with disfigured facial features might have a problem with this. But that is just a side note. Those with faces full of fillers that they look like nothing of their prior selves, those need to sort themselves out LOL.

I am not sure I understand that part with one-time pin you send out. How is it used exactly? You say they have an inactive sim, but then you send a code to the existing sim. You mean before the original sim is deactivated and the inactive sim is already sent out?
That ins't the case I meant originally.

How the customer authenticate that it is really them, outside of potentially breached various details they usually need for authentication. Something only this person knows that is not recorded by a key logger, or stored in some common database (except of yours), the final piece of puzzle that would make all the efforts of scammers fail. No sim card should be sent out, especially not activated, without this piece, if the customer sets it up. I think we should have this option. And if I was that pedantic, this pin code should be stored in a separate database, not with the usual customers' details that also get breached one organisation after another. If the scammers have everything else about me, but lack that one code, they are doomed. And the EE customer service should under no circumstance disclose it to anyone. They shouldn't even have access to it without extra verification and with a limited access time, like bank accounts log out after a few minutes of inactivity.

How about that?

Peter_W · ‎09-01-2025

Hi again @Elvira77, the process for inactive SIMs is what would happen if someone still had a working SIM but then requested a new one to be activated to replace this.

As I mentioned, this would be for situations like a customer upgrading their phone and needing a different SIM size, and it's possible for them to order an inactive replacement online.

In sending a PIN to the existing active SIM, this way we are able to verify that the person we're speaking with is the person that uses the number.

Peter

Isit1997again · ‎15-04-2025

You said

“If you need a replacement for a lost or stolen SIM, this can only be sent to the address registered on your account, and is sent pre-activated.

The alternative here would be to visit one of our retail stores with a form of valid photo ID”

clearly this is not the only truth here if sim swapping is taking place.

The point of this thread was to ask what ee is doing to protect us. You have offered no insight or reassurance.

Original posters pointed out that 24 hour warning is the weak point, because it makes no difference if we contact you as you already initiated a one way process.
Why is the process one way? When are you changing it?

loobyloo5 · ‎15-04-2025

No, you don't need access to the physical or esim, you merely need to contact the phone provider explaining that you've lost your phone/sim and can they switch your number to another SIM - in my case the only security they needed ( not EE) by the way was my date of birth and they took it over, the first I knew was receiving an email saying thanks for changing your email password show up on my phone and then I realised I had no phone number on my phone and then several weeks of pain ensued trying to get it back. I have now registered a password with EE that would be needed to get a new SIM

loobyloo5 · ‎15-04-2025

Snap though mine was with Three, I did complain and was referred to ombudsman and received a proper apology and a financial award