A recently published study showed how easy it is for hackers and fraudsters to take control of your phone number, which can potentially lead to thousands of dollars in fraud ̵1; that's your money on the line. The practice of is becoming more and more common, and despite the fact that carriers are putting in place protective measures, it is frightening how quickly researchers could take over a telephone number.
The SIM card inside your phone is a small plastic chip that tells your device which mobile network you want to connect to and which phone number you want to use. We rarely ever think of SIM cards, except maybe when we get a new phone.
But here's the problem – hackers know that SIM cards are a pretty easy access point when it comes to taking over someone's phone number and in turn accessing their online accounts.
SIM exchange occurs when someone contacts your wireless operator and can convince the call center employee that they are actually you with your personal information.
They do this by using data often exposed in hacks, data breaches, or information that you publicly share on social networks to trick call center employees to exchange SIM cards linked to your phone number and replace it with a SIM card. cards in their possession.
Once your phone number has been assigned a new card, all your incoming calls and text messages will be routed to which phone the new SIM card is in.
At first glance, it seems somewhat harmless. But when you think that most of us have our phone numbers linked to our bank, email and social media accounts, you quickly start to see how easy it would be for someone with access to your phone number to take over your entire online presence.
Matthew Miller, a contributor to CNET's sister site, ZDNet, fell victim to a SIM swap scam last year, and he is still experiencing the consequences of the fallout. Anyone who took over Miller's phone number gained access to his Gmail account and immediately changed his password, then deleted every email, deleted every file in his Google Drive account, and eventually deleted his Gmail account completely.
Miller later discovered that he was targeted because he had a Coinbase account and his bank account was linked to it. Miller's phone got his Coinbase account's two-factor authentication codes, so hackers could log into his cryptocurrency trading account and buy $ 25,000 in Bitcoin. Miller had to call his bank and report the transaction as fraud. It is on top of the enormous vulnerability he felt.
A bad win for someone who takes over your phone number is instant access to all 2-factor authentication codes (2FAs) you receive through text messages, the pins that an institution text you to verify that you are who you are saying. This means that if they have your password, they are just a few clicks away from logging into your email, bank or social media accounts.
And if someone accesses your email account, they can change their passwords and search your email archive to create a list of your entire online presence.and use app-based codes instead. Seriously.
What can you do to prevent SIM from switching to your account?
You can reduce your chances of anyone accessing and taking over your phone number by adding a PIN or password to your wireless account. T-Mobile, Verizon, Sprint and AT&T all offer the possibility to add a PIN.
Some companies, like Sprint, require you to set up a PIN when signing up for service. But if you are unsure if you have a PIN or need to configure one, here is what you need to do for each of the four major US carriers.
- Sprint customers : Log in to your account on Sprint.com and then go to My Sprint > Profile and security > Security information and update the PIN or security questions, then click Save .
- AT&T subscribers : Go to your account profile, log in and then click Login Info. Select your wireless account if you have multiple AT&T accounts, then go to Manage Extra Security under Wireless Password . Make your changes and then enter your password when prompted to save.
- T-Mobile user : Set a PIN or password the first time you log into your My T-Mobile account. Select Text Messages or Security Question and follow the instructions.
- Verizon Wireless Customers : Call * 611 and request a Port Freeze on your account, and visit this website to learn more about enabling Enhanced Authentication on your account.
If you have services through another operator, call their customer service number to ask how you can protect your account. You will probably be asked to create a PIN or password.
When creating a PIN or password, remember that if someone has enough information to fake that they are actually you, use a birthday, anniversary, or address because the PIN will not cut it . Instead, create a unique password for your operator and then store it in your.
How do you know if you have been affected?
The easiest way to tell if your SIM card is no longer active is if you completely lose the service on your phone. You may receive a text message stating that the SIM card for your number has changed and to call customer service if you did not make the change. But when your SIM card is no longer active, you cannot make a call from your phone – not even to customer service (more on this below).
In short, the fastest way to see if you have been hit is if your phone completely loses service and you cannot send or receive text messages or phone calls.
What should you do if you are a victim of SIM exchange fraud?
The truth is that if someone wants to have enough access to your phone number, they will do everything they can to trick your operator's support representative. What we have described above is best practice, but they are not foolproof.
Researchers could pose as account holders who forgot their PIN or password, often providing the latest numbers calling by the account holder. How do they know these numbers? They either tricked the account holder into calling a few numbers – or even scary phone numbers for incoming calls to the account they want to take over, which means the bad guy simply needed to dial the target's phone number himself.
When you realize that you have lost service on your mobile device, immediately call your carrier and let them know that you did not make the changes. The carrier will help you restore access to your telephone number. I can't stress it enough – don't wait to call . The longer someone has access to your phone number, the more damage they can do.
Here are the customer service numbers for each major operator. Put your carrier's number in your phone as a contact:
- Sprint : 1-888-211-4727
- AT&T: 1-800-331-0500
- T-Mobile: 1-800-937-8997
- Verizon: 1-800-922-0204
When your SIM card is off, you will not be able to call from your phone, but at least you have the number on hand on someone else's device.
You also want to contact your banks, credit card companies and double-check all your online accounts to make sure the perpetrator has not changed your passwords or made any fraudulent transactions. If you find transactions that are not yours, call your bank or visit a branch directly and explain the situation.
Remember, no matter how many PINs or passwords we add to our online accounts, there is still a chance that someone will find a way to break in. But at least by setting a password for your account and knowing what to do If you find yourself a victim of SIM exchange, you are ready.
Another critical aspect of strong online security is to use ato create and store unique passwords for your account. Also, enable for each account that offers it.
Originally published last week. Routinely updated.