Another thought that crossed my mind for the extra layer of protection was perhaps security questions could be used?
If part of the account opening process was to provide answers to a few security questions and these questions didn't include ones that could be guessed from information in a members account profile,then when a member starts a sim swap they could be asked to answer one of their security questions before the swap will complete.
After a bit more thought about this,the problem I see with our confirmation email plan is that in order to start the sim swap process the scammer has to be logged into the victim's account and so I wouldn't be surprised if their first action is to change the member's email address on their account to one that the scammer has control of for a variety of reasons so it would be them that'd receive the confirmation email and not the victim of the scam.
I must admit I'd overlooked the problems that a security question could pose to members with memory probems but what about if the member could compose the question as well as the answer rather than having to choose a set question like "what was your first pet's name?"from a list?
In this way the member could set a question and answer which is totaly unique to them so hopefuly unguessable by the scammer but at the same time a Q&A that they felt confident that they would remember.
I'm sure this would be technicaly possible on giffgaff's part and this problem is getting more urgent to resolve just about by the day,here's 3 cases I noticed in a day between Christmas and New Year and reports at Twitter confirm that the phishing texts are still being sent allowing the scammers to harvest more members details to perform these rogue sim swaps with:-
The composing of questions really doesn't help @woodyuk.
A quick look at my Vodafone account, (handy that it's today that I chose to update all my passwords and email addresses everywhere), and it shows me I've a hidden "secret word", and a visible hint.
The hint has not helped to remind me of the secret word, (which I'd forgot setting let alone the content). I can guess, and the guess may even be correct, but if I ever need to use it or change it it's much more likely that I'll have to call them.
It is the lack of this ability to call and verify by other means which presents the biggest obstacle for people like myself with severe memory issues.
That's one of the reasons I love them so much, (and Lloyds and Nationwide and others), because they're all willing to work with me and identify me via other means that I can remember, like my national insurance number, my NHS number, my partner's date of birth and name, things like that.
This could be possible with giffgaff but you've problems with remembering the format. For instance if one of the security questions was "What position did you play in soccer" and the answer is center back, you can write that in a number of different ways and you've gotta remember which one you used or you're locked out.
When you can call, the format the answer is written in doesn't matter, you'd be able to say "center back" and pass even if you wrote CB or CD on the form, because the human can apply common sense, you can probably even pass if you say "central defender" in such a situation because of course they're all the same thing.
Forms can't make distinctions like that.
I've been locked out on capitalization errors before and not being able to remember how much of someones name I used and how I capitalized it.
But yeah you're right about the email address change, which is why that should also be two factor authenticated, (to the old address), and email addresses should be verified anyway which they currently aren't.