I was considering to switch on SIM PIN protection for additional security. Before doing that, I was curious to find my PUK number.
While doing so, I have suprisingly found that that my PUK code is publicly available online on https://www.o2.co.uk/help/phones-sims-and-devices/unblock-your-phone if I enter my phone number.
If I understand correctly, that is a complete security breach in the sense that even if I have an activated SIM PIN lock, any thief who steals my phone can just enter 3 random PINs incorrectly, and then use the PUK from the web-site just by entering my number.
I have assumed that the PUK should be protected by a mobile operator and be provided to a mobile network customer only after necessary verification is provided.
Could you advise, please, do I miss anything?
I think we had this discussion a couple of years back. Having PUK numbers available isn't a great security risk. As @Bambino says, unless the thief knows you and your number, the account will be secure. Most thieves will attempt to change the sim card if the sim and phone are secure. A screen lock is vital and then the sim pin is irrelevant unless your sim is put into another phone.
Thank you. My name (which is quite "unique" as opposite to something more common like "John Smith") can be found in my phone screen lock options. Then, because of my business activities and Internet presence, my phone number can be found on the Internet by my name. Even if I did not have my name on the phone screen lock, sometimes I participate in some business events (including giving talks) so my name can be found that way (especially if there are any thieves at some big events) or through my business cards (and my business cards can be stolen with my phone).
I just don't understand why O2 would purposefully make my "secret" PUK code public and by doing so eliminates a very good, secure way to protect my SIM. If I understand correctly, with the SIM PIN and PUK (if they are both secret), it provides an almost guaranteed protection from a SIM misuse by the common thieves, at least in the first few hours before the SIM is blocked by me with O2 customer support.
@User Why don't you just delete your name from your screen lock and use some other "unique" word so you could still identify your phone without giving anything away about who you actually are? Everyone puts their phone number on their business card. Your scenario is possible, but not very likely. A thief would have to crack your screen lock PIN first, and you could disable your phone remotely if that did happen before they got any further.
Thank you, MI5. Unless I miss or misunderstand how the PUK works, all they need to do (if they have connected the dots) is to enter any random PIN 3 times, and they just enter the right PUK, and they can change the PIN to whatever value. That is, if they do know the PUK, to the best of my understanding, it does not matter if they don't know the PIN: they still can unlock the SIM. (Unless I misunderstand how it works.)
Thank you, Bambino, I see what you mean. Yes, it is less likely that someone, who has stolen my phone, will know my name but if they happen to steal it with my business card or my credit/debit card, then it is straightforward for them to find my phone number and then the PUK...
I just don't understand why the PUK has been made publicly available by O2 for any (or many) phone numbers...
Fair point @User
Probably best if only made available after logging into your MyO2 but I guess it's not something they feel is frequently abused.
@User From this site, it looks pretty easy to get a PUK from any network if you have the right info. https://www.uswitch.com/mobiles/guides/how-to-get-your-puk-and-unlock-your-phone/