The New Oil's latest blog piece on decentralize.today

January 23, 2021

Last summer, news abounded on how to protect your phone at a protest. These included things like using a PIN instead of biometric locks, using encrypted messaging, and using a SIM PIN. The basic idea behind a SIM PIN is that while regular phone encryption can protect most content, the SIM itself is where the keys for that data are stored. Think of the SIM as your password manager: your bank account numbers may not be in there, but the password to log in to your bank account and get the numbers is. So Sunday night I decided to take my own advice and set up my SIM PIN. Let me share my journey and the lessons learned.

Lesson 1: Your Carrier Knows Your PIN (AKA “Should I Even Set Up a SIM PIN?”)

On Sunday, when I attempted to set the PIN, I was instantly locked out of my SIM card for doing it wrong. This effectively turned my phone into an overpriced iPod Touch. For some people, that’s fine. For me, long story short: not something I’m willing or able to commit to at this time. I was immediately informed that I had to contact my provider to get the PIN to unlock the SIM, which begs the question “what’s the point if someone else knows my password?” I would still argue this is a worthwhile thing to do. I think a lot of privacy enthusiasts get so caught up on “zero knowledge” that they lose sight of the fact that “less knowledge” is still better than “open knowledge.” Let me unpack that:

“Zero knowledge” means the provider can’t see it. For example, if you use one of the encrypted email providers I recommend on my website, the provider can’t see your inbox (though they may be able to see messages coming in and out, depending on the service and how you use it, that falls outside the scope of this post but is addressed on the page I linked). That’s “zero knowledge.” When I say “open knowledge,” I’m talking about something like your public Facebook page with the default settings: everyone can see your posts, everyone can see your pictures, anybody can see your likes and check-ins. There is no restriction to the information, it’s “wide open.” And so, by that logic, “less knowledge” would land somewhere in the middle: it’s not “zero knowledge” where only you have the information, but it’s not wide open for everyone to see either. Only specific people have access.

Zero knowledge is always preferable, but as I’ve discussed in the past, “don’t let perfect be the enemy of good.” A SIM PIN may not be zero-knowledge, but it’s not wide open either. It won’t protect you from police with a warrant or rogue employees, but it will protect you from the jerk at the concert who steals your phone or the stalker ex (depending on their capabilities).

Lesson 2: You Probably Already Have a PIN

The fact that my SIM got locked right off the bat tells me that my SIM already had a PIN. So if you’re planning to use this feature – and I recommend it – you should start by contacting your carrier and confirming what the PIN is. It probably has a default of “1234” or something like that. Because my SIM was locked, that meant I was COMPLETELY unable to make or receive phone calls. (I assume emergency services would’ve been exempted but I wasn’t about to test that out for obvious reasons.) My carrier, by policy, was only allowed to text me my PIN, which meant that unlocking it was now an impossible Catch-22. Then, once you learn the PIN, you’ll probably learn that it’s not very secure. In my case, it was an old PIN that I used to reuse everywhere back in my pre-security days. So I quickly changed it to something randomly generated and stored everything I needed to know in my password manager.

Lesson 3: Don’t Depend on Your SIM

While this was a very frustrating adventure, it was more inconvenient than anything. Despite being – as I called it – an “overpriced iPod Touch,” my actual life went virtually unaffected. I don’t use my SIM for anything other than actual cell data when I’m not on WiFi. I use Signal as my daily communication app. I use MySudo for work and other Voice-over-IP needs. I mainly rely on an offline password manager that’s only on my desktop. I have the passphrases to login to my desktop memorized. The point is, there was only one way that this experience actually impacted me while I was waiting to contact customer support: I was unable to receive the Catch-22 text. Other than that, this really didn’t impact me. I had to pick up a package from a friend so I messaged them in advance to let them know my travel route (they were stop #2).  I had to pre-download my music from Spotify (yes, not privacy-friendly, shoot me) for my commute to work. Absolutely nothing else mattered, and frankly the only reason I even was so determined to fix the issue was because I need my phone to work while I’m on a job site and we don’t always have access to WiFi on job sites. Maybe for February I’ll challenge myself to remove the SIM card outside of office hours…

Conclusion

So I did finally unlock the SIM after several frustrating hours talking to tech support. As I mentioned before, the PIN I was using was insecure, and it turns out the first agent I spoke to gave me the wrong PUK (Personal Unlock Key, a unique number linked to your SIM card) so my PIN didn’t work. Once I got connected to an agent who gave me the correct PUK, I was able to easily guess my PIN. Would I recommend using a SIM PIN? Despite my initial hiccup, yes. As is often my style, I kind of charged into that one totally blind like the infamous Leroy Jenkins, but had I proceeded with caution I think this experience wouldn’t have even been on my radar, and no doubt my phone is now even more secure than it already was. One of my strong philosophies behind this site is the idea that these are the changes that matter – the little changes that you don’t even notice once they’re in place, but they dramatically improve your privacy and security. So don’t miss out another chance to take up your game. Just learn from my mistakes.

You can find more recommended services and programs at TheNewOil.xyz.  You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work on Liberapay.