SIM Swap Attacks Targeting O2, T-Mobile, and Vodafone CZ: How to Protect Your Number

Your mobile phone number is more than a way to make calls. In the Czech Republic, it is the key to your bank account, your internet banking authorization, your identity verification, and dozens of online services. SIM swap attacks exploit this by transferring your phone number to a SIM card controlled by a criminal. Once they have your number, they receive your SMS verification codes, access your bank accounts, and take over your digital life.

Czech police have reported a steady increase in SIM swap cases targeting customers of O2, T-Mobile, and Vodafone CZ. Here is how the attack works and how to defend against it.

How SIM Swap Attacks Work

A SIM swap does not require hacking your phone or stealing it. The attacker convinces your mobile carrier to transfer your phone number to a new SIM card. Here is the typical sequence:

1. Information gathering. The attacker collects your personal information — name, rodné číslo, address, date of birth — from data breaches, social media, phishing, or public records.
2. Contacting the carrier. They visit an O2, T-Mobile, or Vodafone store (or call customer service) and claim they lost their phone or need a replacement SIM.
3. Identity verification bypass. Using the personal information they gathered, they pass the carrier's identity verification. Some attackers use fake or stolen ID documents.
4. SIM activation. The carrier activates the new SIM card with your phone number. Your phone immediately loses service.
5. Account takeover. The attacker now receives all your SMS messages, including banking authorization codes, password reset links, and two-factor authentication codes.

Why Czech Customers Are Particularly Vulnerable

Several factors make the Czech mobile market susceptible to SIM swap attacks:

• SMS-based banking authorization. Many Czech banks still use SMS codes for transaction authorization. While push notifications are available, SMS remains the default for many customers.
• Three dominant carriers. O2, T-Mobile, and Vodafone CZ handle the vast majority of Czech mobile subscriptions. Attackers only need to learn the verification procedures of three companies.
• Rodné číslo as primary identifier. Czech carriers often use the rodné číslo for identity verification. Since this number appears in many databases and documents, it is relatively easy for attackers to obtain.
• In-store verification gaps. Retail store employees may not thoroughly verify identity, especially during busy periods.

Signs Your SIM Has Been Swapped

Critical: If your phone suddenly loses service and it is not a network outage, contact your carrier immediately. Every minute counts.

How to Protect Yourself

Carrier-Level Protection

1. Set a SIM change PIN with your carrier. Contact O2 (800 02 02 02), T-Mobile (800 73 73 73), or Vodafone (800 77 00 77) and request that no SIM changes be processed without a special PIN or passphrase.
2. Request in-person verification only. Ask your carrier to require in-person ID verification with a physical občanský průkaz for any SIM changes.
3. Enable account notifications. Set up email alerts for any account changes, including SIM swaps, plan changes, and new device activations.
4. Consider eSIM. If your phone supports it, eSIM is harder to swap because it requires scanning a QR code and cannot be physically replaced at a store.

Banking Protection

5. Switch from SMS to push notifications for banking authorization. George (Česká spořitelna), ČSOB Smart, and My KB all support push-based authentication that does not rely on SMS.
6. Set strict transaction limits. Lower your daily transfer limits so even if attackers gain access, the damage is limited.
7. Enable biometric authentication for your banking app.
8. Use a separate email for banking that is not linked to your phone number.

General Security

9. Do not share your rodné číslo unnecessarily. The less this number circulates, the harder it is for attackers to impersonate you.
10. Use an authenticator app instead of SMS for 2FA wherever possible. Apps like Google Authenticator or Authy are not affected by SIM swaps.
11. Monitor your phone for unexpected service loss. Set up a secondary communication method (email on Wi-Fi, for example) so you can detect a swap quickly.

What to Do If You Are a Victim

1. Contact your carrier immediately. Report the unauthorized SIM swap and request your number be transferred back.
2. Contact your bank. Block all transactions and internet banking access.
3. Change all passwords from a device you know is secure — especially email, banking, and social media.
4. File a police report with Policie ČR.
5. Check for unauthorized transactions across all financial accounts.
6. Enable authenticator-app-based 2FA on all accounts that currently use SMS.

Share Sensitive Account Details Without SMS

When you need to share login credentials, recovery codes, or financial details with a trusted person, never send them via SMS. SMS is fundamentally insecure and can be intercepted through SIM swap attacks. Instead, use LOCK.PUB to create a password-protected, encrypted link that expires after being read. No SMS interception risk, no permanent message history.

The Bottom Line

SIM swap attacks are among the most damaging cyber threats facing Czech mobile customers today. Your phone number has become a master key to your financial and digital life, and the barriers to stealing that key are lower than most people realize.

Take action now: call your carrier and set up a SIM change PIN. Switch your banking to push notifications. Replace SMS-based 2FA with authenticator apps. And when you need to share sensitive credentials, use LOCK.PUB — encrypted, temporary, and immune to SIM interception.