Comment by vanviegen

I don't think it's down to the SIM. It's more they call help at the phone company and say "hi I've lost my phone, number 0123123. Could you transfer it to my new handset with another SIM in." Or similar. I had my one (with Three UK) transferred to some random fraudster this year. I got it back but it was a pain and potentially dangerous. In fairness to Google they didn't manage to get in to that.

Suggestion to phone companies: When receiving such requests email and text the user saying "we've had a request to transfer your number, contact us if not you" rather than just cracking ahead.

> Isn't the SIM supposed to hold all sorts of secrets to prevent that?

The process has a security hole by design: SIM cards can get damaged/lost (usually with the phone) and you wouldn't want to lose your number just because you lost your phone or damaged your SIM card by accident. This hole is typically exploited by attackers after they have identified a high-value target. You basically outsource the control over your account to a telco employee.

I had happen after a promotion that changed my LinkedIn title to something more prominent.

Still can’t prove what happened but someone ported my number from my carrier to Sprint and it took easily 18 hours to undo it. And it required convincing sprint, which I had no affiliation with, that the original transfer was not intended, and that yes I want to reverse it out.

Crazy painful.

High level government members were hacked in Brazil using spoofed numbers to access voicemail. No social engineering, just bad systems.

It varies by country and the US is not very secure. In a lot of technically more secure countries social engineering and corruption are available for a determined attacker.