I made a stupid mistake.
I was fiddling around with the SIM Lock and mistyped the password and so now I am locked out of my SIM.
What I am wondering is if anyone knows where the password might be stored in the files?
For unlocking your sim-card you will need a so-called puk code. It is not stored on your phone. It used to be quite a hassle to get a puk code, nowadays more often than not you can find it on your provider’s website.
In Germany you get together with the SIM an initial PIN and an 8 digit PUK (Personal Unlocking Key). I can’t imagine that the SIM provider has this on its website. Do you have an example?
I can not show you the page where I can get my puk code, because it is in my personal T-mobile account for which I need to log in. But I can assure you I have it right here on my screen. I can also change my sim pin if I like.
Well, in Germany (and in Cuba) you get it with the plastic SIM printed on paper. If you in your case must login and get it from your account website, it would be a wisdom idea to write it to paper or a local file.
I wasn’t intending on losing my pin. Besides, I have a super easy pin.
By default, no, it isn’t - and for good reason. But it could be stored on the phone and that would actually make sense if you want just “one unlock” to do the whole job - rather than having to do 4 unlocks (disk encryption password, login password/PIN, SIM PIN, keyring password) each time you boot up.
Some people have asked for … unlock the OpenPGP card with the PIN and all the rest is taken care of.
This.
Some mobile service providers that give you a login to their web site to manage your account also give you an option to retrieve the PUK.
You do also have the option of having no PIN at all on the SIM.
Well, I ment that it is not stored on your phone automatically. And i did not know you can get rid of the sim pin. Don’t know whether it is wise to not protect the sim. I guess it is not as important as it was back in the day when mobile subscriptions were still pretty expensive and you had to pay by the minute. Although foreign calls can still get quite expensive of course.
T-mobile has been offering the puk online for a few years now. Before that, they used to send it in a letter.
These days the stolen phone is most likely to be used purely for the value of the phone itself or if not that then to make a few criminal phone calls before the phone is too hot and needs to be disposed of.
As you say, international calls are the only thing it would make sense to steal a phone for - but the IMEI would be reported stolen fairly soon and disabled - so it would be hard to justify the risk in order to make relatively little gain.
In our current time, SIM cards, especially if used without PIN can quite be on an attacker’s target because SMS is often used for logging in / second factor now.
Is two-factor login coupled to a specific sim-card, or to a specific phone, or to a phone number?
To the phone number (which is “on” the SIM card), but if an unauthorized person has the SIM card in their possession, they can initiate takeovers of any of your accounts, and will be receiving the 2FA codes instead of you. Then you might have a hard time convincing customer service reps that you are who you say you are, and that you’re a victim of account hijacking. The criminal will have caused this without even “socially engineering” the company rep to port your number to a new SIM card, which is the way the hijacking is usually accomplished.
Check out this story: https://www.zdnet.com/article/sim-swap-horror-story-ive-lost-decades-of-data-and-google-wont-lift-a-finger/
True (and a SIM PIN helps there) but if the unauthorized person has the whole phone in his or her possession then potentially a SIM PIN won’t help because the SIM had already been unlocked (and it’s the phone unlock password / PIN that the thief may have to break, and I think I am right in saying that the phone does not have the same anti-brute-forcing protection).
Personally, I use a SIM PIN.
Random comment: If the text of a received SMS is displayed without unlocking the phone then in principle 2FA can be defeated without even breaking into the phone (but I am making assumptions for that to be a practical attack).