What happens when you forget your password for an online service? For most services, you can recover your password by having an email sent to you with a link to click on, or a text will be sent to your phone with a one time pin to enter into the site.
This system may be convenient, but it does mean that your phone acts as a single point of failure for all of your online accounts. This weakness is exploited by hackers who call your phone provider and claim to be you, saying that they have lost their phone and need your phone number transferred to a new sim card that they have bought.
If the phone provider asks for identity verifying information, the attacker may already know this if a lot of information about you is available online. "Mothers maiden name" can easily be found by looking at the names of your family on Facebook. If they don't have this, they could hang up and try again, hoping to get through to an employee who doesn't ask as many questions.
There are several steps that you can take to prevent and mitigate SIM jacking:
- Give fake answers to the security questions for your ISP (and probably every other service) and write those answers down somewhere secure. Treat the answers as if they were passwords themselves, as they can be used to recover your accounts.
- Choose an ISP which verifies your identity every time they communicate with you.
- Get a cheap pay as you go SIM and use it only for giving to websites for receiving text verification messages. Don't give this phone number to anybody so that it doesn't become publicly known. This way even if somebody does manage to SIM jack you, the phone number they get won't be connected with your online accounts. Be sure to read the terms and conditions of the private SIM card to make sure that it won't expire from inactivity, as you're unlikely to use it often.