From end-to-end encrypted messaging apps to secure email providers, we have plenty of ways to protect our communication and data. Yet, traditional phone calls and SMS remain vulnerable at the telecom network level—leaving a major security gap that the industry has failed to close.

Commercial cell phone carriers use outdated, easily exploitable security protocols that have exposed consumers to countless data breaches. In a 2024 SEC filing, AT&T revealed that a security breach that took place between May 1 and October 31, 2022, as well as on January 2, 2023, exfiltrated the “records of calls and texts of nearly all of AT&T’s wireless customers.”

Other carriers are no less immune to security vulnerabilities. Besides dozens of individual data breaches, major carriers, including Verizon, T-Mobile, and Lumen, fell victim to Chinese hacking group Salt Typhoon.

As if this isn’t concerning enough, carriers routinely profit off of consumer data by selling it to third parties. This practice led to some serious repercussions for many top carriers when the FCC fined them $200 million in 2024.

The takeaway? Traditional carriers aren’t nearly as secure as they need to be. They operate on a trust-based system but don’t justify the trust customers put into them.

The question is: Do you have better options? Let’s find out.

The Fundamental Problem With Major Phone Carriers in the U.S.

To understand why major telcos are susceptible to frequent and elaborate attacks, you need to familiarize yourself with the key issues in the traditional telco architecture:

• • Interoperability over security
• • Data pooling
• • Legacy signaling protocols

Interoperability Over Security

Telco systems are prime hacking targets because they prioritize interoperability over security. To ensure seamless and uninterrupted roaming, telcos must blindly trust one another. However, once a malicious actor breaches the system, they can access massive amounts of user data.

Data Pooling

Traditional carriers don’t just collect excessive personal data—they aggregate it across multiple sources to create detailed user profiles. This includes data from your carrier, your home internet provider, entertainment companies, ad agencies, and other third parties, all sharing and selling data to one another to create a more complete picture of who you are. The result? A highly valuable record of who you are, what you do, and where you go—perfect for surveillance, ad targeting, or exploitation.

Legacy Signaling Protocols

Mobile carriers rely on outdated telecommunication protocols, like SS7 and Diameter, which were never designed with security in mind.

SS7 was developed during the 70s, and it was last revised in 1993. This fact alone attests to why attacks and data breaches are so common—carriers are relying on a protocol that hasn’t been updated for 30+ years.

Diameter, on the other hand, was meant to enhance SS7 as its successor for 4G LTE, VoLTE, and 5G networks. Still, it inherited the protocol’s main flaw—a trust-based system without comprehensive authentication mechanisms or user control.

In practical terms, these architecture-level vulnerabilities allow malicious parties to:

• • Track the user’s location
• • Break into the networks and get access to users’ sensitive information
• • Extract the international mobile subscriber identity (IMSI), which uniquely identifies each user of a cellular network

Is Your Mobile Carrier Actually Secure? Analyzing 7 Top Options

To help you understand the exact level of data protection you get with your carrier, the following sections will break down the security features and concerns of seven leading U.S. telcos and MVNOs:

1. AT&T
2. Verizon
3. T-Mobile
4. Visible
5. Mint Mobile
6. Xfinity
7. Boost Mobile

1. AT&T

AT&T provides regular security features to reduce the risk of data breaches:

• • Two-factor authentication (2FA) for online account access
• • Optional account passcodes
• • ActiveArmorSM security that helps block spam calls and notifies of data breaches

These features safeguard user data to an extent and focus on preventing SIM swaps—a common account takeover attack that ports a user’s phone number to an attacker’s SIM. However, the security mechanism isn’t too effective as AT&T employees could technically bypass it and allow hackers to perform a sim swap.

AT&T shares aggregated user data with third parties by default, which is an unfortunate industry standard. Worse yet, the carrier was found to illegally share users’ location data with third parties, which resulted in a $57 million fine by the FCC.

AT&T has also fallen victim to many data breaches over the years despite its security features. We previously mentioned a particularly dangerous one, when the data of over 70 million current and former customers ended up on the Dark Web.

The data included highly sensitive information like users’ Social Security numbers (SSN), which exposed customers to further issues like an increased risk of identity theft.

2. Verizon

Over the past few years, Verizon has released several security measures aimed at minimizing the risks of SIM swapping and similar attacks. The most effective one is Number Lock, which lets customers freeze their phone number to prevent it from being ported out without an additional layer of verification.

Another useful feature is the Number Transfer PIN, which is required when porting a line to another carrier. The user must generate the PIN through the app or by dialing #PORT, which complicates attackers’ takeover efforts.

Unfortunately, this doesn’t make Verizon significantly safer than AT&T. Both AT&T and Verizon employees were offered a $300 bribe per successful SIM swap, proving that the consumers’ accounts aren’t safe from internal threats. The company was also involved in the location-sharing incident, which confirmed its murky data protection practices.

To make the issue worse, Verizon has been found to share customer browsing and usage data with advertisers to personalize ads. While the carrier lets consumers opt out, there have been reports of it overriding users’ preferences and collecting data nevertheless.

While Verizon hasn’t reported as many significant security breaches as AT&T in the past few years, the data privacy issue remains due to the carrier’s inclination toward data collection and sharing.

Keep reading: Explore our AT&T vs. Verizon guide and discover how they measure up.

3. T-Mobile

T-Mobile’s account and data protection features are comparable to those of its competitors and include:

• • PIN/passcode required for all major account changes (e.g., number port-outs)
• • Complimentary Account Takeover Protection add-on
• • Scam call blocking and reporting

The company took an extra step by pledging $150 million toward a two-year security upgrade initiative alongside the formation of a dedicated Cybersecurity Transformation Office reporting directly to the carrier’s CEO.

While these initiatives may seem commendable, the reason behind them is quite disturbing. Namely, T-Mobile suffered one of the largest telco breaches to date in August 2021, when an attacker used an API to extract the data of over 79 million users. The data included some of the most sensitive information, specifically:

• • SSNs
• • Names
• • Dates of birth
• • Driver’s license/ID details

Despite T-Mobile’s efforts to safeguard data following the incident, several major attacks occurred after it, with the most recent ones happening in 2023.

4. Visible

Verizon’s online-only carrier Visible gained popularity because of its budget-friendly unlimited plans. As users can only manage accounts through the app and website, the carrier safeguards them through several security measures, such as:

• • Multi-factor authentication (MFA)
• • Passwordless login
• • PIN for account changes

This wasn’t always the case—Visible implemented many of its measures following the 2021 security incident that involved a series of account takeovers caused by credential stuffing. The attack allowed hackers to change users’ information and exploit their credit cards for mobile phone purchases.

As for privacy, Visible is aligned with Verizon’s policies, which means user data is routinely collected and used for ad personalization. While there haven’t been any noteworthy incidents since 2021, Visible doesn’t offer significantly more protection than other carriers.

5. Mint Mobile

Mint Mobile operates on T-Mobile’s network, though it doesn’t share all of the same security features because it’s a considerably smaller carrier. It offers some standard protection mechanisms, including:

• • PIN for porting requests
• • IP address blocking
• • Notifications of notable account changes

In recent years, Mint Mobile suffered two noteworthy incidents. The first one was in 2021, when an attacker used SIM swapping to port numbers and accessed subscribers’ information like their names, call history, and passwords.

While the attack didn’t have severe consequences because no sensitive data was stolen, the second breach in 2023 was more invasive. Besides names and emails, the hacker stole account details like SIM card identifiers (ICCID) and the phones’ IMEI (unique device number).

Mint Mobile’s privacy practices are comparable to those of major carriers. The company states it might share your data with affiliates for marketing purposes, so consumers don’t get as much privacy as they should.

6. Xfinity

Xfinity is a part of Comcast’s ecosystem, so Xfinity Mobile accounts are linked to the cable/internet service account. Much like Visible, the carrier operates as a Mobile Virtual Network Operator (MVNO) and uses Verizon’s network.

With this in mind, Xfinity’s security features are aligned with Comcast’s and Verizon’s—they include:

• • Number locking
• • Email and text alerts for port-out requests
• • Two-factor authentication

Unfortunately, these measures weren’t enough to protect consumers from breaches. In 2022, a hacker managed to circumvent Xfinity’s 2FA and gain access to users’ accounts. In addition to accessing their information, they were able to reset passwords of not only Xfinity accounts but also other services like Gemini and Coinbase.

Privacy-wise, there’s not much to say—Xfinity’s privacy policy is aligned with Comcast’s and outlines the same conditions as other carriers, including data sharing with third parties (which you can opt out of). However, Xfinity is pooling customer data across the home internet and cellular business, which allows them to track customers with far more data.

7. Boost Mobile

Boost Mobile is a prepaid wireless carrier, so it inherently exposes consumers to fewer risks because it doesn’t require extensive personal details or credit checks. It comes with standard security features like PIN account protection and multi-factor authentication without advanced measures.

While the carrier hasn’t directly fallen victim to cybersecurity attacks, it suffered collateral damage from the attack on its parent company, Dish Network. In 2023, Dish Network was targeted by a ransomware attack that affected around 300,000 consumers, including Boost Mobile customers.

Even though Boost Mobile wasn’t the target, it was the entry point. The ransomware group reportedly gained access to Dish Network’s core system through the Boost Mobile network, which indicates the carrier’s weak IT safeguards.

So, Which Phone Carrier Is the Most Secure in 2025?

It’s evident that most top telcos and MVNOs don’t have airtight practices when it comes to data security and privacy. Legacy carriers continuously fail to eliminate the jarring vulnerabilities in their service, so all of the above options fall short if security really matters to you.

The good news is that there is an exception: Cape.

Cape is an independent mobile carrier built from the ground up on a privacy-first, minimal-trust model. The telco ditches traditional data-hoarding architecture and gives you a premium carrier service free from vulnerabilities like SIM swapping and SS7-based surveillance.

Cape: America’s Most Secure Cell Phone Carrier

Cape is a privacy-focused mobile carrier that bypasses the security issues of commercial operators through a secure mobile network where you retain full control of your data. Unlike typical carriers, Cape stores minimal data for a limited amount of time—only what is necessary to operate and provide efficient service.

The main reason behind this is that Cape runs on its proprietary cloud-based mobile core, which gives it full control over everything from user authentication to roaming. There’s no blind trust between phones and networks like with traditional carriers, which lets Cape offer features like:

• • Enhanced signaling protection: Cape’s proprietary signaling proxy defends against SS7 and other signaling attacks by blocking suspicious network attach requests.
• • Encrypted voicemail: Cape encrypts voicemail at rest, so the contents and metadata (e.g., the phone number of the person leaving you a voicemail) are only accessible to you.
• • Private payments: Cape uses tokenization for payments, which replaces sensitive data (e.g., your credit card number) with a unique identifier (token). Even if the token is stolen, it can’t be used to retrieve sensitive data, which renders it useless to attackers.
• • SIM Swap Protection: Cape uses modern cryptography instead of insecure passwords and PINs to protect your phone number from SIM swap attacks and insider threats.

Cape delivers nationwide coverage with unlimited calls, texts, and high-speed 4G/5G internet, for just $99 a month—no hidden fees or taxes, no contracts.

Take Control of Your Data With Cape

“Minimal data collection” isn’t a buzzword with Cape—you can sign up anonymously on any eSIM-compatible phone. Follow these steps to get started:

1. Verify your eligibility on the website
2. Download the Cape app from the Play Store/App Store
3. Choose a new number or port in your existing number
4. Save your unique 24-word passphrase
5. Download and activate your eSIM

More features are continuously being developed and released during Cape’s open beta period.

Cape has partnered with Proton to provide Cape customers with Proton Unlimited or Proton VPN Plus for just $1 for six months.