It could be done remotely but only if the store had signed off that ID had been viewed and the port confirmed in person. Of course this could be gamed but an employee would need to put their name on the line to say they had met the person and viewed the ID
We have a <major us carrier> rep (as a business customer) and he will port our lines and change SIMs for me based on an email. However I noticed the last time I initiated one of these requests there was a confirmation step that involved an email sent to me with a URL I had to click to approve. From memory I don't believe that URL needed authentication so the email was a bearer instrument. An attacker would need to both fake my outgoing email (easy) and also intercept incoming email (not so easy). There was also a confirmation email sent advising that the request had been approved and processed.
I can imagine however that an admin at a reasonably large business would receive several of these emails per day and may just reflexively click on them all. Note these emails are sent to the business account admin, not the end-user. I happen to be both so can see both sides of the process.
Edit: I should also add that I have never met this rep and so he has definitely not looked at my government ID. The process is secured only by receipt of email.
This seems like the best solution. Introduce an opt-in security feature, whereby any attempt to port the number, or swap sims, is subject to a ~72h cooldown period. During that period, notify the account holder through numerous communication channels of the pending change.
Yup. Authy does a good job of this if you need to reset your access. They (automatically) harass the shit out of you for 24h before doing it. I think I got 10+ calls/texts plus emails.
The Swedish solution for physical address change (yes, we all must be registered at an address which is then used for everything formal) is to lock it using Mobile Bank ID
> BankID is a citizen identification solution that allows companies, banks and governments agencies to authenticate and conclude agreements with individuals over the Internet.
You need your phone to use it but it can be recovered using other means like ID card or a digipass from you bank
If you do want to transfer it you need a 'higher' level of identity proof. Usually this means you have to visit a store/office of the provider and show a means of identification to get the transfer lock lifted.
what if you actually want to transfer your number?