Hacker News new | past | comments | ask | show | jobs | submit login

Yes. Of course it works, if it was not possible for you to move your phone number to a different device then you'd be trapped and of course the mobile phone companies would take advantage of that to gouge you.

The problem is your cell provider doesn't have a very good way to be sure it's Svip asking them to do this transfer. They are mostly going to rely on low paid call center or shop floor staff to decide. Fortunately for them this is a low-value transaction. If I get them to transfer Svip's number, I don't cost them very much money and I don't inconvenience you all that much really. Why would I bother...

Unless some idiot decides to rest the authentication scheme for their valuable service on control over a phone number.

In the UK in particular for example the person doing the authentication in an actual store will usually be a teenager working part time for the mobile phone company to get some spending money or during tertiary education. When a hot guy approaches them saying they can make twice their weekly wage if they just "forget" to do a proper ID check for a few friends of his, why wouldn't they say "Yes" ? They might get fired? They have never had a serious job, they're treated like shit, unless they're unusually upright and honest or they think it's a trap they're going to agree.




To be more specific, I live in Denmark. Last time I had to transfer my number, it was quite a hassle. I had to show up physically in a store, and they needed to scan two ID cards of mine. In addition, because I have a legally hidden address, the guy in the store needed to contact someone inside to confirm me. Essentially, he was not able to do it on his own.

In fairness, that was me moving from one carrier to another. I assume, if I were to get a new SIM with the same carrier, it would be a lot easier. I have been trying to figure out what it would require for me to change SIM within the carrier, but their help articles aren't clear on this, besides mentioning it is possible (my impression is that they will ship the SIM card by postal services).


There are still ways to make the system more secure.

For example, you have to physically go to a store to port the number unless you have the old SIM.

Then it's not done immediately - there's a 72 hour period in which multiple texts and calls are sent to the old SIM asking for confirmation. If you physically have the old SIM this is instant, but if you claim to have lost it you need to wait 72 hours and provide a signature and mugshot at the store.

If a member of staff "forgets" to do this stuff, they go to jail.

People don't usually lose their SIM card, so this process wouldn't happen very often.


Sure, you could have a national "reality" TV show, everybody who lost their SIM has to go on the TV show for six months with it showing on screen which number they claim is theirs - so this way there's no chance they're a crook.

Or make anyone who claims they lost their SIM wrestle a bear first before they get a replacement. Won't see many crooks take that on.

But, I put it to you that this all seems very disproportionate when you remember that you're punishing the phone company and its customers for not securing Twitter. These are the wrong people!


I'm a strong believer in solving problems at the single point of failure. If you solve it at the Twitter level, what about any other internet/cloud based service that is designed just like Twitter? It would still be a problem. If you solve it at the phone company level, all the companies that operate like Twitter are protected.

Even better still, solve it at both levels, but definitely don't let phone companies off the hook.


Yeah, I think it should be solved in both places TBH. Defense in depth.

But it won't happen because people are dumb and don't care about the issue until the exact moment it bites. This basically applies to every security problem: everything is perpetually broken and therefore nefarious actors can always find a way to achieve their goals. Most people's best defence is to not have any enemies.


Being serious, I don't think waiting 72 hours for a SIM number port is an inconvenience.

IF you lose your phone & SIM inside it, you need to go to the store anyway, or have a new phone sent by post (takes a few days usually). One of these things has to happen! You need a new phone!

So what we are adding here is a 72 hour wait for the number port. In the meantime you have a temporary number.

Govt should legislate to make precautions like this compulsory, or to create incentives for good security like steep fines against the phone company for simjacking, together with private red teams probing phone corp's security in this regard and claiming part of the fine.


>Or make anyone who claims they lost their SIM wrestle a bear first before they get a replacement. Won't see many crooks take that on.

Definitely the phone company to go with!


  People don't usually lose 
  their SIM card, so this 
  process wouldn't happen very 
  often.
People lose their entire phone all the time. In most cases, their SIM card is inside the missing phone.

Unless, of course, they anticipated just such an emergency, and preemptively kept the phone and SIM separate because they care that much about faceless, global social media platforms.


> They are mostly going to rely on low paid call center or shop floor staff to decide.

Actually retail sales at AT&T and T-mobile stores(not third-party retailers) can make mid to high five figures if they're competent salespeople. Maybe low six figures at a high-volume store. Most of the money is in commission but it's there.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: