SIM Swap Protection: Comparing Major Carriers vs. Cape’s Approach

07.18.25 - 4 min read

Blurred-out person holding a scribbled out phone, taking a photo of a city skylin

SIM swap attacks—where fraudsters hijack your phone number—are an increasingly common threat. In a SIM swap, a criminal convinces or bribes a carrier to transfer your number to a new SIM card or device they control. This allows them to intercept your calls and SMS messages, including two-factor authentication (2FA) codes, and take over your accounts. The stakes are high: scammers have used SIM swaps to drain bank accounts, steal cryptocurrency, and seize social media profiles. Despite some carrier protections, SIM swaps remain a serious risk.

What Is a SIM Swap and Why It Matters

A SIM swap (or SIM hijacking) is an attack where someone tricks your carrier into activating your phone number on a SIM card or device they control. Once your number is ported, the attacker receives all your texts and calls. Any one-time passcodes sent via SMS—for banking, social media, and more—go straight to the hacker, not you. With those codes, they can reset passwords and take over your accounts, potentially causing serious financial and reputational harm. Victims often realize something is wrong only when their phone loses service entirely.

While legitimate SIM changes happen during phone upgrades, in a fraudulent SIM swap the attacker impersonates you (using stolen info or fake ID) or bribes a carrier insider to authorize an unauthorized switch. It’s alarmingly simple: as one security expert put it, “anything you can do by calling your carrier, an attacker can do by pretending to be you.” Carriers have long relied on weak authentication methods—like static PINs or security questions—which are easily defeated. SIM swaps directly threaten your 2FA and personal data, making prevention essential.

Real Incidents Highlighting the Risk

- Insider Bribery at T-Mobile (2023–2024): Criminals offered T-Mobile employees cash to perform illicit SIM swaps. In one scheme, employees across the U.S. received texts offering $300 per SIM swap in exchange for transferring customer numbers to attackers. T-Mobile confirmed it was investigating these solicitation messages, highlighting the insider threat—hackers actively targeting carrier staff to bypass security.
- Store Manager Sold SIM Swaps (2021): A New Jersey telecom store manager pled guilty to accepting bribes to conduct SIM swaps using his employer credentials. Paid in Bitcoin, he enabled access to victims’ banking and social media accounts. Cases like this led the FCC to issue new rules in 2023 to combat SIM swap and port-out fraud.

These incidents underscore that SIM swaps aren’t theoretical—they’re happening to individuals, companies, and government agencies. The common denominator is weak carrier authentication. Below is a breakdown of how major U.S. carriers compare on SIM swap defenses—versus Cape, which was built for this very threat.

Comparing SIM Swap Protection by Carrier

The chart below compares leading U.S. carriers on their SIM swap protections and known vulnerabilities.

Provider	SIM Swap/Port-Out Protection Features	Vulnerabilities/Weaknesses
Verizon	Number Lock: Prevents number from being ported out unless the user disables it. SIM Protection: Blocks SIM or device changes unless unlocked in account. Includes a 15-min delay after unlock to prevent quick attacks.	Insider Override: Customer service reps can override locks if "you" pass ID checks—attackers can social engineer their way through. Recent Incident: A celebrity’s line was hijacked despite protections, suggesting a rep was fooled or bribed.
AT&T	Wireless Account Lock (WAL): Blocks SIM changes, ports, account updates until manually disabled. Account Passcode: Extra PIN must be provided for changes. Number Transfer PIN: Required for port-outs; short expiration time.	Insider Threats & Phishing: Criminals have bypassed protections via phishing or bribing reps. AT&T has been sued over SIM swap incidents where insiders allegedly helped thieves (notably the case of Michael Terpin, who lost ~$24M.) Partial Adoption: WAL must be manually enabled. When off, attackers with basic info can impersonate users.
T-Mobile	Account Takeover/Port-Out PIN: 6-digit Number Transfer PIN (via the app or website) to authorize any number port-out. SIM Change Protection: User-set block disables SIM/eSIM changes unless verified. When you enable SIM Protection on a line, no SIM swap or eSIM change can occur on that line until you disable the protection and verify via a one-time code. 2FA Enforcement: Any SIM change triggers a one-time code to the real user. No Unverified Self-Service: T-Mobile removed the ability for users to do unverified self-service SIM changes to reduce fraud.	Frequent Data Breaches: T-Mobile has suffered multiple data breaches exposing customer info (one API breach affected ~37 million accounts). Exposed data (like phone numbers and SIM identifiers) can help attackers impersonate victims to T-Mobile support or authenticate illicit SIM swaps. Insider Threats: As noted, criminal rings target T-Mobile employees with bribes to illicitly swap SIMs. If a rogue employee with sufficient access cooperates, they could override protections. T-Mobile’s history of frequent breaches and attempted insider attacks suggests attackers continue to see its defenses as something they can work around.
Mint Mobile (T-Mobile MVNO)	Number Lock: Mint Mobile (a T-Mobile network MVNO) introduced a “Number Lock” feature in its account settings, similar to Verizon’s. When enabled, it prevents any new SIM activation, SIM swap, or device change on your line . You must turn it off to, for example, replace your SIM or port out your number. One-Time Passcode for Unlock: Required to disable lock.Auto-Activation: Lock re-enabled automatically after suspicious activity.	Shared Network/Vulnerabilities: As a reseller on T-Mobile’s network, Mint may inherit some of T-Mobile’s vulnerabilities. In fact, Mint Mobile suffered a data breach in 2023 that exposed customer names, numbers, emails, and even SIM identifiers (ICCID/IMEI). Exposed SIM data is enough for attackers to attempt SIM swaps by impersonating users. Response Dependence: If attacker gains app/email access, they could disable protections—though OTP adds friction.
Google Fi	Google Account Security Integration: Your Google Fi service is tightly integrated with your Google account login. Any critical action like cancelling service or porting your number out requires you to be signed into your Google account. This leverages Google’s robust authentication (password + 2-Step Verification) for Fi. Verify It’s You” Checks: If Fi detects something suspicious when you attempt to view port-out info or make changes, it will prompt for additional verification (e.g. sending a push notification or security code via your Google app). Also, when contacting Fi support, the agent will ask you to sign in and provide a code or accept a prompt—they won’t rely solely on verbal info, reducing the risk of social engineering via phone support.	Single Point of Failure: Fi doesn’t use separate carrier PINs; it trusts your Google account. If your Google account is compromised, your Fi account is too. Third-Party Carrier Breaches: Google Fi itself was victim to a SIM swap incident when its underlying network provider (believed to be T-Mobile) was breached in 2022 . Attackers got Fi users’ phone numbers and SIM card serial numbers, which allowed SIM swaps on some Fi accounts despite Google’s protections.
Cape (Privacy-focused Carrier)	Secure-by-Design Architecture: Cape takes a fundamentally different approach–eliminating the usual weak links (passwords and call-center authentication). No passwords or standard PINs are used at all; instead, Cape uses modern cryptography and digital signatures to verify user identity. When you create a Cape account, you generate a unique 24-word passphrase (BIP-39 standard, like a crypto wallet seed) which derives a cryptographic key pair. Your private key never leaves your device, and only a correct digital signature from your device can authorize changes. User-Only Port-Out (No Human Overrides): Cape does not allow support agents or any employees to port out your number on your behalf—only you can initiate a number transfer, using your 24-word recovery passphrase as authorization. There is no “override” mechanism that a rogue employee or social engineer can exploit; a hacker would need that unique passphrase (which is nearly impossible to guess or phish, since Cape never asks for it directly and it’s not stored server-side). Integrated SIM Swap Protection: Since every critical action (like swapping your eSIM to a new device or changing account info) requires cryptographic login verification, Cape inherently protects against SIM swaps. There’s no separate “SIM lock” toggle needed—the account itself is locked down by your cryptographic identity. Cape’s philosophy is that human verification steps are inherently insecure, so they’ve removed them from the loop entirely.	User Responsibility: You must safeguard your 24-word passphrase (like a crypto wallet). If lost, recovery could be challenging—though Cape likely offers secure options. New Model: While no SIM swap breaches have been reported to date, the model’s novelty means continued scrutiny is warranted.

Sources: Official carrier support pages and news reports as cited above.

Cape: A Different (and Better) Approach to Stop SIM Swaps

While traditional carriers bolt on protections, Cape was built from day one to prevent SIM swap attacks. Here’s why Cape’s model stands apart:

No Passwords to Steal: Cape replaces logins with cryptographic signatures from your device’s private key. There’s no PIN or password that can be phished or reused by an attacker.

You Hold the Key: Your 24-word passphrase encodes your private key, which stays with you. It can’t be stolen from Cape’s servers because Cape doesn’t store it.

No Human Override Possible: Cape agents cannot port your number or make SIM changes on your behalf. There’s nothing for attackers to trick or bribe someone into doing.

Real-Time Security, Not Reactive: With Cape, every critical action requires cryptographic proof. There’s no "window of vulnerability" or reliance on alert-based reactions—just hard stops.

In other words, Cape doesn’t trust call centers, customer service reps, or guessable credentials—it trusts your key and nothing else. As Cape puts it: SIM swap protection isn’t an afterthought—it’s the foundation of our network.

Why It Matters and Conclusion

SIM swap fraud is accelerating, and even with new FCC rules, attacks persist. As we’ve seen, traditional protections—PINs, locks, SMS alerts—can be bypassed. Whether through phishing or insider access, attackers continue to exploit the weakest link: the carrier.

Choosing a mobile carrier with strong SIM swap protections isn’t just about privacy—it’s about protecting your money, your identity, and your peace of mind. Cape offers a fundamentally different solution: one that removes humans from the equation and replaces outdated security with modern cryptography.

If you want peace of mind that your number (and everything tied to it) is safe, Cape is the clear choice. It’s not just better SIM swap protection—it’s a smarter, safer way to stay connected.

Share it

SIGN UP TODAY

Cape your calls. Cape your location. Cape your life.

Get Cape