Why YSK:
Because this scenario:
I know what some people are thinking:
My eSIM is tied to my phone, phones these days have encryption, so all I need to do is set a lockscreen password then a thief cannot access any of my data.
WRONG
At least in Android: You can just use some button combo (just look up “[Phone model] hard reset”) to get into the recovery menu and wipe all data, then reboot, and the eSIM is still there!
(Caveat to this: If you happen to have a Google account, it would force a FRP lock, and that would stop access, but most of fediverse does not like those type of online accounts, so: without a SIM PIN and without FRP locks, the eSIM is accessible to a thief)
Now the thief has your bank 2FA Codes!
TLDR: Set a pin on your SIM cards, even if it’s an eSIM (but especially if you use physical SIM cards)
(Curious: Does anyone actually use SIM PINs or do I just have a lot of paranoid regarding tech and potential hacks/exploits)
I’m sure I’m not alone in asking:
- How do you set a SIM PIN on a modern smartphone?
- Can it be more than four digits?
- What’s to stop it being brute forced?
SIM PINs are 4-8 digits
The SIM Chip itself is supposed to limit entry attempts to 3, idk if anyone managed to bypass it
After that, it required a PUK Code, 8 digits I believe. Its sometimes found on the big plastic card thing (its like the size of a credit card, and you pop off a physical sim from it). 10 Attempts.
I think the carrier also has it.
So an attacker needs to either:
- Guess the SIM PIN in 3 tries
- Somehow hack the chip to bypass the limits
- (a) Obtain the plastic card thing or (b) Social engineering to get customer support to provide PUK (I mean if they can manage to trick customer support, they could probably just get a new eSIM (which is immediately issued to their phone through the internet) anyways
or - Somehow guess a 8 digit code in 10 tries
The thing is, I as a kid/teen messed with tech stuff a lot (got my parents SIM cards locked a few times 👀, they got so mad at me lol) and I found that sometimes I can reboot a phone and the 10 attempts on the PUK code would reset… idk how, maybe the SIM card had issues… or maybe it’s a T-Mobile issue.
I’ve never used a sim pin in my life. If my phone is stolen I’m more concerned about them getting the data on the device than using my phone number for nefarious things. A hacker would need to know I use X bank, know my password, and then have stolen my phone and used that combination of things to hack my bank account.
Also I’m going to transfer the sim to whatever new phone I get as soon as I get it. So once I know it’s stolen and I’m not getting it back I’m going to transfer it and they lose that access.
but most of fediverse does not like those type of online accounts,
Most of the habitual posters maybe. Most actual users are more normal.
If you happen to have a Google account, it would force a FRP lock, and that would stop access, but most of fediverse does not like those type of online accounts
I’m sure the majority of the fediverse have a google account tied to their android phone.
genuinely curious about this, as i also happen to not have google account tied to my android and it runs degoogled lineageos. maybe i should create a poll
You know, I literally just read about this in my textbook, but I’m trying to cram the last of my classwork for finals so I glossed over it.
Thanks for the reminder, time to set up that PIN…
Cool but apparently I need a pass key I don’t have to turn it on…
search “[Carrier Name] default SIM PIN”
if you get it wrong twice, then just forget about it (max 3 attempts), I mean just be careful and don’t let your phone get stolen lol
(Or if you have the PUK (its on the back of the plastic card that comes with your SIM Card (for physical SIMs)) you can just get it wrong 3 times then use the PUK to reset the PIN)
FWIW my Samsung default eSIM pin was 1234.
