[shortcake27]

This is not exactly true for many countries.

In Australia, for example, telcos get punished heavily for delaying ports but don’t get punished for unauthorised ports. This disincentivises telcos to perform any due diligence whatsoever. Up until a few years ago, anyone could walk into a telco and port any random number onto a new sim. These processes are improving, but sim swapping is still trivial.

Not to mention SMS is also an unencrypted medium.

I avoid using my phone number for MFA unless I’m forced into it (which sadly happens quite often).

[ggm]

This is counter to my understanding. I've always believed SIM porting attacks are both harder and less frequent in Australia compared to the USA

[shortcake27]

I can’t speak to USA vs Australia as I don’t know what the process is like in the USA, but this is how Australia works. The regulation originated from good intentions - in the 90s telcos would make it difficult for people to port their number, so ACMA stamped that out by prohibiting the losing telco from denying/delaying a port. It was up to the gaining telco to verify the identity of the owner, which was rarely done. You could just walk into a telco, give them your number, and get it ported to a new phone/sim immediately. I did it plenty of times in the 2000s.

Unfortunately these regulations now hurt the consumer more than they help. Imagine if you could transfer a domain name without a transfer code or confirmation from the owner or current registrar. That’s what phone numbers are like in Australia. I absolutely want my telco to deny a port without my permission, but regulation prevents them from doing this. Instead, I have to rely on every other telco in Australia doing their due diligence if someone tries to port my number. It’s a losing battle because my identity has been leaked several times in the past few years. I have to assume that at any moment my phone number will be ported away by a bad actor.

I believe this is being reformed to require explicit approval from the owner. But this is very late and inferior compared to other countries such as the UK with PAC codes etc.

[ggm]

I live in Australia, and every number port has required me to have the old SIM live, and respond to an SMS token exchange, before the receiver could proceed. Or, present the 3 trick questions and be recorded with the telco desk, and incur liability.

I've done three: Telstra to A now defunct MVNO back to Telstra and now Aldi.

I have never been able to socially engineer the change without either other online proof of posession, or this SMS exchange. Never.

Maybe I just found providers who implemented tighter controls.

I wasn't clear, that I also believe the RATE of sim port attacks in Australia is far, far lower than in the USA. I don't doubt some happen, but I think we have less per head of population. In part, I think the 100 points checks and KYC plays to this.