SIM swap attacks bypass carrier security flags because call center agents can override NOPORT protections with a single eSIM QR code

Mobile carriers offer security flags like T-Mobile's NOPORT and Verizon's Number Lock that are supposed to prevent unauthorized number transfers. But these flags are advisory, not enforceable. A call center agent can override them by issuing a remote eSIM QR code, bypassing the flag entirely. In the 2025 T-Mobile case, attackers convinced a single call center agent to issue an eSIM QR code despite the victim having extra security measures enabled, then drained $38 million in cryptocurrency within minutes. This matters because phone numbers are the backbone of two-factor authentication for banks, email, and crypto wallets. When an attacker controls your phone number, they receive every SMS verification code sent to you. They can reset your email password, which resets your bank password, which drains your accounts. The entire chain of custody collapses from a single social engineering call. The $33 million arbitration award against T-Mobile and the $46.9 million FCC forfeiture against Verizon prove the carriers know their safeguards are theater. This problem persists because carrier call centers are optimized for speed and customer satisfaction, not security. Agents are measured on handle time and customer satisfaction scores, creating an incentive to say yes to requests rather than refuse them. The verification process relies on knowledge-based questions whose answers are available in data broker databases. The fundamental conflict is that carriers need to make it easy for legitimate customers to manage their accounts, but that same ease is exactly what attackers exploit. There is no cryptographic binding between a customer and their number, just a database entry that any sufficiently persuasive caller can change.