FWIW my Samsung default eSIM pin was 1234.
this post was submitted on 03 May 2026
86 points (98.9% liked)
You Should Know
45701 readers
276 users here now
YSK - for all the things that can make your life easier!
The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:
Rules (interactive)
Rule 1- All posts must begin with YSK.
All posts must begin with YSK. If you're a Mastodon user, then include YSK after @youshouldknow. This is a community to share tips and tricks that will help you improve your life.
Rule 2- Your post body text must include the reason "Why" YSK:
**In your post's text body, you must include the reason "Why" YSK: It’s helpful for readability, and informs readers about the importance of the content. **
Rule 3- Do not seek mental, medical and professional help here.
Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.
Rule 4- No self promotion or upvote-farming of any kind.
That's it.
Rule 5- No baiting or sealioning or promoting an agenda.
Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.
Rule 6- Regarding non-YSK posts.
Provided it is about the community itself, you may post non-YSK posts using the [META] tag on your post title.
Rule 7- You can't harass or disturb other members.
If you harass or discriminate against any individual member, you will be removed.
If you are a member, sympathizer or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people and you were provably vocal about your hate, then you will be banned on sight.
For further explanation, clarification and feedback about this rule, you may follow this link.
Rule 8- All comments should try to stay relevant to their parent content.
Rule 9- Reposts from other platforms are not allowed.
Let everyone have their own content.
Rule 10- The majority of bots aren't allowed to participate here.
Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.
Rule 11- Posts must actually be true: Disiniformation, trolling, and being misleading will not be tolerated. Repeated or egregious attempts will earn you a ban. This also applies to filing reports: If you continually file false reports YOU WILL BE BANNED! We can see who reports what, and shenanigans will not be tolerated. We are not here to ban people who said something you don't like.
If you file a report, include what specific rule is being violated and how.
Partnered Communities:
You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.
Community Moderation
For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.
Credits
Our icon(masterpiece) was made by @clen15!
founded 2 years ago
MODERATORS
If you happen to have a Google account, it would force a FRP lock, and that would stop access, but most of fediverse does not like those type of online accounts
I'm sure the majority of the fediverse have a google account tied to their android phone.
I'm sure I'm not alone in asking:
- How do you set a SIM PIN on a modern smartphone?
- Can it be more than four digits?
- What's to stop it being brute forced?
SIM PINs are 4-8 digits
The SIM Chip itself is supposed to limit entry attempts to 3, idk if anyone managed to bypass it
After that, it required a PUK Code, 8 digits I believe. Its sometimes found on the big plastic card thing (its like the size of a credit card, and you pop off a physical sim from it). 10 Attempts.
I think the carrier also has it.
So an attacker needs to either:
- Guess the SIM out of 3 tries
- Somehow hack the chip to bypass the limits
- (a) Obtain the plastic card thing or (b) Social engineering to get customer support to provide PUK (I mean if they can manage to trick customer support, they could probably just get a new eSIM (which is immediately issued to their phone through the internet) anyways or
- Somehow guess a 8 digit code in 10 tries
The thing is, I as a kid/teen messed with tech stuff a lot (got my parents SIM cards locked a few times 👀, they got so mad at me lol) and I found that sometimes I can reboot a phone and the 10 attempts on the PUK code would reset... idk how, maybe the SIM card had issues... or maybe it's a T-Mobile issue.
-
On android, the setting is in Settings>Security>More Security
-
Yes
-
The fact that it can only be attempted three times, after which a much longer PUK code you from your service provider must be used to restore funtionality to the SIM. It also has limited attempts, after which the SIM is locked forever.
Not sure how that works cryptographically, or how robust a physical SIM is against tampering.
The eSIM uses the TPM and the physical SIM uses smartcards running Java applets. The SIM type smart cards generally make use of tamper resistant circuits and are set to not allow key extraction, similar to the TPM.
It's not undefeatable, but both require really expensive hardware and you can only target devices you physically have in your hand so it's not worth the investment. If you're law enforcement you don't even care about unlocking the SIM, you're just going to the carrier directly instead. If you're not using that equipment for stealing hardware wallets from rich cryptocurrency owners, you don't have a chance of return of investment. Also it will fail a lot (destroy the chip)
I believe this wouldn’t be as simple on iPhone because there is no easy way to do the restore like that on the phone itself.
DFU mode could be used but you’d need to a computer to finalize the restore process and somewhere along the lines will require your Apple ID credentials. Either in iTunes/Finder or when setting up the phone after restore.
Unless the owner has relinquished their account from the phone, then this may be possible using that method.
But having a SIM lock is still an extra layer of protection against these kinds of attacks.
I've never used a sim pin in my life. If my phone is stolen I'm more concerned about them getting the data on the device than using my phone number for nefarious things. A hacker would need to know I use X bank, know my password, and then have stolen my phone and used that combination of things to hack my bank account.
Also I'm going to transfer the sim to whatever new phone I get as soon as I get it. So once I know it's stolen and I'm not getting it back I'm going to transfer it and they lose that access.
but most of fediverse does not like those type of online accounts,
Most of the habitual posters maybe. Most actual users are more normal.
You know, I literally just read about this in my textbook, but I'm trying to cram the last of my classwork for finals so I glossed over it.
Thanks for the reminder, time to set up that PIN...
I've always used a PIN.
I did not know eSIM is stored outside the normal data partition and survuves factory resets. That doesn't feel right.
Edit: huh, my eSIM had a default pin set which I had to provide to set one.
The setting is in Security, not SIM card info.
I did not know eSIM is stored outside the normal data partition and survuves factory resets.
Your phones OS knows nothing about the eSIM. On older devices it was entirely a separate component living in it's own little world. Now it's integrated into the CPU, still entirely separate from your OS.
That doesn’t feel right.
If someone resets it they don't want to lose their cell connection. When you've lost your sim and need to get it reactivated without that form of authentication it's a HUGE pain in the ass, and going to a store is the easiest way. I don't want to drive to a store because I wanted to start fresh on my phone. A factory reset doesn't wipe your physical sim.
Cool but apparently I need a pass key I don't have to turn it on...
search "[Carrier Name] default SIM PIN"
if you get it wrong twice, then just forget about it (max 3 attempts), I mean just be careful and don't let your phone get stolen lol
(Or if you have the PUK (its on the back of the plastic card that comes with your SIM Card (for physical SIMs)) you can just get it wrong 3 times then use the PUK to reset the PIN)
Wait, you have a SIM/eSIM? You bank through your phone?
Well there's your two main problems right there, separate your banking from your mobile device altogether.
All bank accounts require a phone number. VOIP numbers does not work.
Online banking through a computer requires a phone number for them to send a 2fa code to before letting you log in. (Phone number 2fa is the only 2FA option, and even if not, its often used as a recovery option to whatever other 2fa method there is, effectively making the phone number the weakest link)
But I guess if you don't like that, you could tell them to disable online banking and avoid using electronics for banking, but then you'd have to either go to the bank every week and wait in an annoying line to verify you're getting paid and that the amount is correct (cuz you can't trust employers)
(Or use the sketchy ATM machine that could have card skimmers and fake PIN pads, can sometimes be much more dangerous than online banking IMO)
(Also some people need online banking like my parent have a small bussiness and my mom has to do a bunch of bank transfers every month through online banking...)
My bank does not use a phone number for 2FA... Its handled by their app.
The phone number is now relegated to other personal information you might use to verify who you are.... Like address, date of birth, or other security questions like mother's maiden name
That feels worse...
At least you can change a phone number
How do you change your personal info? Its permanent and unchanging... One databreach and you're fucked
Well... Um... Its a bank... one breach was always going to be fucked...
When you change info you show up in person with your ID... Same as you when you set up an account the first time
Idk if I could live life not using ATMs.
Yes, they might have card skimmers, but I would trust the ATMs that's inside the bank branch would be free of those, as a lot more eyes are on those machines, even cctvs, and any suspicion would immediately get staff's attention. I would always do the prying test on new ATMs I encounter, if it does anything, and once I'm satisfied with it, I just look for any changes the next time I use it.
Lol my mom taught me to never trust ATM machines and always go inside the branch.
Also for gas stations, never pay at the pump, always go inside to pay...
That's always been my preference, just go to the bank in person..
My bank no longer has offices. Which was great fun when someone gave me 1000 quid that I can't do anything with because nobody accepts large bills.
Maybe this is more of a personal opinion, but I don't consider that a proper bank then, if they don't have a physical brick and mortar office to conduct business with an actual human.
Proper banks do more than money transfers, they also notarize legal documents, which must be done in person. Plus they also offer safety deposit boxes.