search

Lissy93 / personal-security-checklist

🔒 A compiled checklist of 300+ tips for protecting digital security and privacy in 2024
https://digital-defense.io
Other
16.71k stars 1.16k forks source link

[CONTENT-CHANGE] Edit 'Set up a mobile carrier PIN' as it's not clear enough #129

Closed ba32107 closed 2 years ago

ba32107 commented 2 years ago

Justification

In the mobile devices section, for the advice Set up a mobile carrier PIN, the recommended mitigation is:

The easiest way to protect against this is to set up a PIN through your mobile provider, thus disallowing anyone without this PIN to make any changes to your account.

I don't quite understand what this means - I'm almost sure it does not mean the PIN used for the SIM card lock (although I'm sure there are some people who would mix those up). What does this refer to exactly? I had a quick Google, but didn't find anything about an access PIN for my mobile provider.

Lissy93 commented 2 years ago

You are correct, it means to add a pin to your mobile / cell phone carrier, preventing (making it harder for) the number from being transferred to another provider without that PIN being provided.

It's hard to provide a link to a tutorial, since this varies between mobile networks / cell providers.

The way they're used also varies between provider and from country-to-country. I believe in the US the PIN is only used to prevent changes from being made to your account, whereas here in the UK you can't even put the SIM in a new phone/ device without having the PIN.

The purpose of this is to prevent (or reduce the chance) of SIM-swap attacks, which can be used to receive SMS-based 2FA codes (when app-based OTP codes aren't supported), make account related changes and sometimes password resets.

Hope that helps, and I will push an update to make this a bit clearer :)

ba32107 commented 2 years ago

Hmm actually I think I got a bit more confused :) Let me clarify my question.

I am able to set up a SIM lock PIN code today on my phone. This means I can go into settings, set up the PIN, and then on every restart, I need to enter the PIN to unlock the SIM card. If I put my SIM into a new phone, I won't be able to use it without this PIN. However, this PIN is not required at all when I call my mobile provider or I make any changes to my account online. I think of this as a low-level lock for the SIM card itself. Let's call this "type 1 PIN".

I interpreted this security suggestion as: as a mobile user, I should set up some sort of "account PIN". In my mind, this would work something like a 2FA - when I call my carrier's customer service, they would ask me this PIN before making any changes. This would reduce the chance of a social engineering attack. However, I found nothing online about setting up this type of PIN for my mobile carrier - I am not sure if it exists. Let's name this "type 2 PIN".

In your answer:

I believe in the US the PIN is only used to prevent changes from being made to your account, whereas here in the UK you can't even put the SIM in a new phone/ device without having the PIN.

The first part of the sentence seems to refer to a type 2 PIN, while the second part to a type 1 PIN. Can you clarify which type of PIN this security advice refers to?

As mentioned, I know how to set up a type 1 PIN, but I've never heard of a type 2 PIN - I've used 3 mobile carriers over the years and none of them had this. I do not live in the US though - maybe it's a US-only thing?