So Anyone can Hack your phone number, know your location and intercept your calls and sms, here is what you can do

The best thing you can do is not use a sim card at all, put your graphene os mobile in airplane mode and access the internet through WiFi via a VPN that decouples your IP from your browsing history i.e. Obscura

But banks, governments and other institutions are using sms for verification so you need a bridge, and that bridge is VoIP numbers.

VoIP numbers protect you from local attacks i.e. no one can intercept your sms and voice calls in close vicinities.

I recommend http://jmp.chat for US, Canadian and European numbers as they provide them without kyc and their android app is nice.

This also prevents physical and social engineered SIM swap attacks, the support team there won’t transfer your phone number to someone else just because someone asked them nicely or gave up your legal identity and things related to it. Because they don’t have it and they don’t verify like that.

I recommend you have 3 numbers, one for banking, one for gov ID and stuff, and one you give everyone else. This prevents someone to take over your legal identity if they have somehow gained access to your “everyone” number. And you gain breathing space on your banking number and can track important financial matters seperately.

One caveat is, if the phone call or sms is routed through PSTN (plain text copper, nothing is encrypted) anyone can snoop in to your phone calls and sms if they have the e.164 number i.e your phone number.

By using a non-kyc number you ensure that your legal identity is not corelated so nobody knows what is “your” number.

You can move to a country where PSTN is shit down eg Netherlands, Germany but I don’t advise that. Just use signal for messaging and voice calling, imessages are also e2ee, whatsapp is also e2ee (caveat is the metadata isn’t), so anything is better than sms to be honest, facetime is e2ee, but I recommend using http://booth.video for video calls.

One problem with using VoIP numbers is, you need internet, so either use Obscura with public WiFi’s or get data only sim cards. Most countries will ask for kyc information for that. I recommend getting http://silent.link eSIM.

Depending on your bank. The VOIP numbers may not work at all. And I speak from experience. I could not get my Canadian bank to accept my jmp.chat number.

But sure.. everyone can try and see what can work for them. It takes a little time, effort, and a small cost but could be worth it depending on how you can sustainably maintain the OPSEC you’re trying to aim and achieve.

Any half-decent system doesn’t use SMS codes as the only verification method, so this isn’t 100% accurate.

Your bank knows your identity so I don’t really see the point of using voIP.

Sim swap is a very US-specific problem, we virtually don’t have this issue in Europe. They will just mail your new SIM in.

There were less than 1,000 SIM swaps in the US in 2024. I don’t have stats for the EU but the UK had 2,760.

SIM swaps are extremely rare everywhere, but you are certainly not magically perfectly safe in Europe.

I would double-check existing accounts. Sometimes you can choose to use multifactor authentication via Authy, etc (6-digit changing code) or via Passkey instead of using SMS verification.

I am surprised by this. Thouht this was a very wideslread problem in the US.

Exactly what I’m doing.

For banks etc, dumb phone with prepaid SIM for the rare times I need to access those.

I am building a VoIP provider database per country code, you can contribute by this issue tracker GitHub · Where software is built

And I will populate it into https://www.empirsec.co/voip/

If I may ask, why have you chosen Substack instead of another platform on which to publish your blog?

It has emails integrated

Other alternatives do as well. That’s not unique to Substack. Was there another reason?

I’ll be completing something similar before the end of this month. I’ll be removing all SIM cards from my phones. I cannot avoid civilization and just rely on public WiFi. Too hardcore and extreme. I have ordered a GL.iNet Mudi V2. It’ll have a data SIM. All my other SIM-less devices will connect to the Mudi V2 via WiFi. I can’t totally prevent T-Mobile from trying to monetize my data, but it’s a start.

The ENISA (European Union Agency for Cybersecurity) reported in the end of 2021 that we¹ had 60 sim swap attack attempts in the past 12 months.

However, these statistics came from the carriers themselves (each reported it back to the ENISA) and was five years ago.

So it might not be as good of a source as some more qualified sources.

1: with we all EU states are meant. The UK left at the beginning of 2020 the EU.