A recently published study showed just how easy it is for hackers and fraudsters to take control of your phone number, potentially leading to thousands of dollars in fraud — that’s your money on the line. The practice of SIM swapping is becoming more common, and despite carriers putting safeguards in place, it’s scary how quickly the researchers were able to take over a phone number.
The SIM card inside your phone is a small plastic chip that tells your device which cellular network to connect to, and which phone number to use. We rarely ever think about SIM cards, except maybe when we get a new phone.
But here’s the problem — hackers know that SIM cards are a fairly easy access point when it comes to taking over someone’s phone number, and in turn, gain access to their online accounts.
SIM swapping occurs when someone contacts your wireless carrier and is able to convince the call center employee that they are, in fact, you, using your personal data.
They do this by using data that’s often exposed in hacks, data breaches, or information you publicly share on social networks to trick the call center employ into switching the SIM card linked to your phone number, and replace it with a SIM card in their possession.
Once your phone number is assigned to a new card, all of your incoming calls and text messages will be routed to whatever phone the new SIM card is in.
At first glance, it seems somewhat harmless. But when you consider that most of us have our phone numbers linked to our bank, email and social media accounts, you quickly begin to see how easy it would be for someone with access to your phone number can take over your entire online presence.
Matthew Miller, a contributor to CNET sister site, ZDNet, fell victim to a SIM swap scam last year, and he’s still experiencing the repercussions of the fallout. Whoever took over Miller’s phone number gained access to his Gmail account, and promptly changed his password, then erased every email, deleted every file in his Google Drive account, and eventually deleted his Gmail account altogether.
Miller later discovered he was targeted because he had a Coinbase account and his bank account was linked to it. Miller’s phone received his Coinbase account’s two-factor authentication codes, so the hackers were able to log into his cryptocurrency trading account and purchase $25,000 worth of Bitcoin. Miller had to call his bank and report the transaction as fraud. That’s on top of the immense vulnerability he felt.
One ill-gotten gain for someone who takes over your phone number is the instant access to any two-factor authentication (2FA) codes you receive through text messages, the pin that an institution texts you to verify that you are who you say. That means if they have your password, they’re just a few clicks away from logging into your email, bank, or social media accounts.
And if someone gains access to your email account, they can change passwords and search through your email archive to build a list of your entire online presence. Take the time to move away from SMS 2FA codes and use app-based codes instead. Seriously.
What can you do to prevent SIM swapping on your account?
You can decrease your chances of someone gaining access to and taking over your phone number by adding a PIN code or password to your wireless account. T-Mobile, Verizon, Sprint and AT&T all offer the ability to add a PIN code.
Some companies, like Sprint, require you to set up a PIN code when you sign up for service. However, if you’re unsure if you have a PIN code or need to set one up, here’s what you need to do for each of the four major US carriers.
- Sprint customers: Log in to your account on Sprint.com then go to My Sprint > Profile and security > Security information and update the PIN or security questions then click Save.
- AT&T subscribers: Go to your account profile, sign in, and then click Sign-in info. Select your wireless account if you have multiple AT&T accounts, then go to Manage extra security under the Wireless passcode section. Make your changes, then enter your password when prompted to save.
- T-Mobile users: Set up a PIN or passcode the first time you sign in to your My T-Mobile account. Pick Text messages or Security question and follow the prompts.
- Verizon Wireless customers: Call *611 and ask for a Port Freeze on your account, and visit this webpage to learn more about enabling Enhanced Authentication on your account…..Read More>>