Cybercriminals are increasingly targeting people’s phone numbers, hijacking and then using them to access people’s bank or social media accounts.
Mobile phone-related identity theft and hacking has been steadily increasing. Between 2013 and 2016, reports to the Federal Trade Commission (FTC) of identity theft via mobile phone hijacking has more than doubled. We rely on our mobile devices to make financial transactions and store sensitive personal data. Hackers have found a way to steal that data through an attack called phone porting, also known as SIM swapping.
Phone porting is what happens when someone switches mobile phone carriers and takes their phone number from the old carrier to the new one. There was a time when porting was truly an ordeal that could take weeks or more, but now it’s instantaneous.
In a phone-porting attack, the hacker uses your mobile number and name to take over your mobile account. They do this by using social engineering to convince your mobile phone provider to port your number to a new service or device. The carrier is supposed to ask security questions based on personal information, such as date of birth, address, or the last four digits of the Social Security Number (SSN). The hacker may have that information via phishing, mail theft, purchasing it online, following social media pages, or other social engineering techniques.
The primary vulnerability phone-porting attacks is the ability to reset passwords and bypass the two-factor authentication via text messages on the accounts. With the mobile number ported to their own device, a hacker can receive text messages containing security confirmation, letting them access accounts, such as Google, iCloud, Facebook, Dropbox, and PayPal. Mobile phone retailers should verify the account holder’s identity using security questions or by checking a photo ID. However, not every employee follows those guidelines. A determined criminal might even create a fake ID.
Two warning signs of a phone-porting attack are:
- Suddenly losing all service
- Receiving unexpected texts of authentication codes
Receiving authentication codes could mean someone is trying to breach your online accounts. If this is the case, you should immediately notify your mobile carrier, financial institutions, and companies that sent you authentication codes, so you can mitigate any damage. If any of them confirm a hacker attempted to port your phone number or gain access to your accounts, reporting the attempt to the FTC, local police, and credit bureaus will help you repair any future damage that may have occurred due to identity theft.
Mobile carriers are required by the FTC to have policies and procedures for detecting and preventing identity theft. Many mobile carriers, including Verizon, AT&T, T-Mobile, and Sprint will let you set a password on your account. A person calling to make changes will have to provide the password first. As with everything digital, a strong password is the first line of defense. Changing the password on a random but regular basis will enhance that defense.
“Your phone number is increasingly becoming the key to your whole digital identity. As we explained in our guide to not getting hacked, you need to take some simple steps to protect it.” — Lorenzo Fanceschi-Bicchierai