Secure Roamer

Practical security intel for independent travelers

SIM card being inserted into smartphone

Staying Ahead of SIM-Swap Attacks While Using eSIMs Abroad

June 23, 2025 · 5 min read

In Manila last year a traveler I met at a coworking space lost $6,000 because her U.S. carrier reassigned her number to a scammer while she was asleep. The attacker convinced support she was “locked out abroad,” issued a new eSIM, and siphoned her bank accounts via SMS 2FA. Ever since, I run a paranoid playbook to secure my eSIMs. It lets me juggle a U.S. primary number, a European business line, and temporary local data plans without giving fraudsters a foothold.

SIM card being inserted into smartphone

Photo: Unsplash / CardMapr.nl

My SIM Stack

  • Primary U.S. number: T-Mobile postpaid, living on an eSIM in slot 1 of my iPhone 15 Pro.
  • Business line: VoIP via Telnyx + hardware token for admin access.
  • Data eSIMs: Airalo, Nomad, Holafly depending on region (short-term)
  • Backup physical SIM: Mint Mobile triple-cut stored in wallet in case eSIM fails.

Step 1: Lock Down Carrier Accounts at Home

T-Mobile

  • Enable Account Takeover Protection (requires in-store ID verification).
  • Set a 15-character port validation PIN that is NOT reused anywhere else.
  • Disable SIM replacement via web—call customer support to add a note: “No SIM changes without in-person verification + passphrase.”

VoIP Providers

  • Telnyx > Security > “Enforce hardware tokens for login” + IP restrictions limited to my Mullvad exit nodes.
  • Generate API keys scoped to read-only for monitoring; rotate quarterly.

Authenticator segregation

  • Carrier account uses Duo Mobile with hardware U2F backup. No SMS fallback allowed.

Step 2: Configure iPhone for Minimal Exposure

  • Line labels: Primary (US), Data (Region). Helps avoid confusion when toggling.
  • Allow Cellular Data Switching: OFF. Prevents iOS from switching primary number to data line automatically.
  • Network Selection: Manual for each line—no auto-joining unknown carriers that may intercept.
  • SIM PIN: Enabled with 8-digit code. Without this, thieves can move an eSIM to their device. To enable: Settings > Cellular > SIM PIN.
  • iMessage/FaceTime: Bind to Apple ID email, not phone numbers. If the number disappears, iMessage continues to work.

Step 3: Travel-Day Checklist


[ ] Notify carrier of travel dates via secure message
[ ] Download offline carrier support docs (in case support site blocked)
[ ] Export QR codes / activation codes to encrypted Standard Notes entry
[ ] Snapshot current ICCID numbers and store in Obsidian daily note

I also create calendar reminders for SIM renewals so I don’t let data plans lapse mid-meeting.

Step 4: Monitoring for Swap Attempts

  • T-Mobile Account Alerts: Enable email + push for “SIM change,” “eSIM download,” “password reset.”
  • Bank alerts: Configure high-risk banks to send push (not SMS) when 2FA triggered.
  • Twilio Verify script:

import os
from twilio.rest import Client
twilio_client = Client(os.environ['TWILIO_SID'], os.environ['TWILIO_TOKEN'])
notifications = twilio_client.messages.list(limit=20)
for msg in notifications:
    if 'SIM CHANGE' in msg.body.upper():
        # escalate to Signal
        print("SIM change attempt detected", msg.date_sent)

I run this script every morning via cron on my home server. If anything suspicious appears, I freeze the number.

Step 5: Response Plan If Swap Is Detected

  1. Airplane mode immediately to keep existing eSIM active while you call carrier via Wi-Fi.
  2. Contact carrier’s fraud line (T-Mobile: +1-888-563-8762). Provide port-out PIN + travel passphrase.
  3. Request they flag the account, restore the eSIM to current device, and invalidate other downloads.
  4. Change carrier account password & security questions.
  5. Audit banks, email, Slack for login attempts. Rotate credentials if any 2FA messages triggered.
  6. Document incident in Notion (time, outcome, ticket numbers) and follow up with written confirmation from carrier.

Bonus Safeguards

  • Physical SIM fallback: Keep an unlocked Pixel 6 with the backup Mint SIM. If my iPhone goes down, I can port accounts temporarily to the secondary device.
  • Bank 2FA override: Most of my banks support hardware keys or app-based tokens (Authy, Symantec VIP). I set those up so SMS never enters the picture.
  • Number retention: I set up a Google Voice line that forwards to my main number. If the main number gets hijacked, people can still reach me via Voice.

Field Notes

Bangkok 2024: Received a T-Mobile “SIM change request” email at 02:17. I was awake, called the U.S. fraud line via Skype, confirmed it was unauthorized, and they blocked the attempt. The perpetrator had my old address + last four of SSN. Takeaway: never rely on KBA (knowledge-based authentication). My passphrase saved me.

Lisbon 2025: Airalo eSIM expired mid-call. Because Allow Data Switching was off, my primary number stayed safe; I simply reloaded the Airalo plan from their app via Wi-Fi.

Packing List for SIM Safety

  • Printed carrier passphrase + account numbers (sealed envelope).
  • SIM ejector tool + needle (always carry two).
  • Spare nano SIM in SIM card wallet (Bellroy Travel Folio).
  • QR code printouts of current eSIMs (laminated, stored in document pouch).

TL;DR


[ ] Lock carrier account with passphrase + in-person requirement
[ ] Enable SIM PIN + disable auto data switching
[ ] Store activation QR codes securely offline
[ ] Set alerts for SIM/account changes
[ ] Maintain backup SIM/phone and non-SMS 2FA everywhere

eSIMs make travel easier. They also widen the attack surface if you trust carriers and SMS too much. Build your monitoring, practice your response plan, and you can enjoy cheap data without inviting fraudsters into your bank accounts.

Explore More Topics