SIM swap and the end of SMS as a second factor
SMS-based two-factor authentication was never very good, and the SIM swap attack is the reason. The carrier rules tightened in 2024, but the underlying weakness has not gone away.
The SIM swap attack has been a known weakness in mobile-based authentication for the better part of a decade, and it continues to drain accounts at a rate that suggests the broader market has not absorbed the lesson. The mechanics are not exotic. An attacker gathers enough identifying information about a target (often from prior data breaches, social media scraping, or phishing) to convince the target’s wireless carrier that they are the legitimate account holder. The carrier transfers the target’s phone number to a SIM card the attacker controls. Every text message and voice call intended for the target now arrives at the attacker’s device, including the one-time codes used to reset passwords and complete two-factor authentication.
From there, the cascade is fast. The attacker resets the password on the target’s email, then on the financial accounts linked to that email. Banking, brokerage, and cryptocurrency exchange accounts all fall in sequence. In cryptocurrency cases, the losses are typically permanent: once the assets are transferred to an attacker-controlled wallet and tumbled through a mixer, recovery is functionally impossible. Civil suits against the carriers have produced uneven results, with mandatory arbitration clauses limiting the venues and damages available.
The FCC adopted updated rules in 2024 that require wireless carriers to implement stronger customer authentication before processing SIM swap and port-out requests, and to notify customers of pending changes before they take effect. The rules are an improvement over the prior baseline, which essentially permitted store employees to make ownership changes on the strength of a memorized address. They do not eliminate the attack. Insider threats at carriers and authorized retailers continue to be a factor, and well-resourced attackers continue to find paths around the policy.
The lesson for individuals holding meaningful value in online accounts is that SMS is no longer a safe second factor for anything that matters. The categorical move is to authenticator apps (Google Authenticator, Authy, 1Password, similar), hardware security keys (YubiKey and equivalents), or passkeys where the platform supports them. Each of these binds the second factor to a device or a cryptographic credential the attacker does not possess simply by hijacking a phone number. For high-value accounts, hardware keys are still the gold standard.
Beyond changing the second factor, three operational steps significantly reduce SIM swap exposure. The first is to set a port-out PIN or account PIN with the wireless carrier and to use a value that does not appear in any prior data breach. The second is to separate the email address used for high-value financial accounts from the email address used for social media, retail, and general online activity, so that a compromise of the everyday address does not chain to the financial one. The third is to move cryptocurrency holdings of any significance off exchanges and into self-custody with hardware wallets, accepting the operational responsibility that comes with custody in exchange for removing the single point of failure that an exchange account represents.
For businesses, the same architecture applies at the workforce level. Executives, finance team members, and anyone with access to wire transfer authority, cryptocurrency custody, or administrative credentials should be off SMS-based authentication entirely. The cost of provisioning hardware keys for a few dozen high-value users is trivial compared to the loss from a single successful account takeover.
The deeper point is that authentication was always meant to be a layered defense, and SMS was the bottom layer in a tower most consumers built. Removing that layer does not collapse the tower; it forces the next layer up to do its job. The people who get this right have generally done it in advance of an incident. The people who get it right after an incident often discover that the funds they were protecting were already gone before they finished updating their settings.