You Should Lock Your SIM Card Before Someone Else Does

SIM swapping has surged into a top-tier threat vector, with criminals exploiting the fact that a phone number serves as a de facto identity token for banking, social media, and enterprise services. When attackers acquire a victim's SIM, they can reroute calls, intercept SMS‑based one‑time passwords, and even reset account credentials. While many users rely solely on device passcodes, the SIM itself remains an unguarded entry point unless a personal PIN is applied, providing a critical layer of defense against these attacks.

A SIM PIN replaces the carrier‑provided default (often 1111, 1234, or similar) with a user‑chosen four‑digit code. The lock activates immediately; the device cannot register on any network until the correct PIN is entered. After three incorrect attempts, the SIM is disabled and a Personal Unlocking Key (PUK) is required—typically printed on the original packaging or obtainable from the carrier. Ten failed PUK entries permanently render the SIM unusable, underscoring the importance of securely storing this key. The configuration process varies: iOS users navigate Settings → Cellular → SIM PIN, while Android devices follow manufacturer‑specific paths such as Settings → Connections → SIM Manager → SIM card security.

Beyond the PIN, organizations should treat SIM security as part of a broader mobile‑identity strategy. Relying on SMS for two‑factor authentication is increasingly discouraged in favor of authenticator apps, hardware tokens, or push‑based solutions that are immune to SIM compromise. As eSIM adoption grows, carriers are introducing remote provisioning controls, yet the underlying principle remains—protect the credential that links a phone number to a user. Enabling a SIM PIN, maintaining the PUK, and transitioning away from SMS‑based verification together create a robust defense against identity theft in the mobile era.