Interested in Infosec & Biohacking. Security Architect by profession. Love reading and running.
“As bad as we are at remembering names and phone numbers and word-for-word instructions from our colleagues, we have really exceptional visual and spatial memories.”
— Joshua Foer, 2006 U.S.A. Memory Champion
Assuming you read my previous article and learned how to limit your exposure online. You set up a password manager and enabled multi-factor authentication for your accounts. There is more to be done to keep you safe. You might think your ID number or bank account numbers are the most sensitive digits. Sadly, with only your cell phone number, hackers can do far more damage with little effort.
However, unlike your ID or Social Security number, you’re less likely to keep your cell phone number a secret; otherwise, nobody can reach you! No matter which Telco service you are using, every cell phone number can become a target for stealing. Let’s take a look at the most direct way to protect it and the reason why we should think twice before giving our phone number, online or offline.
We spend most of our time on this little device; no matter we are waiting, in the elevator, walking, or in the toilet. It is with us all the time, anytime, anywhere. Not just that, we also use our phones to ease our life.
When signing up to sites or services, often it may require our phone number for verification. Sometimes we even use it to log into apps and games directly. Our phone number is also the last resort to reset your accounts while forgetting passwords. Needless to say, it is also a way to prove “something you have/know” in multi-factor authentication.
With your phone number, a hacker can begin hijacking your accounts by making a password reset sent to your phone one by one. With your phone number, they can fool automated systems, like the self-service call desk of your bank, into believing they’re you when you call customer service.
And the worst part is, they can use your hijacked phone number to break into your work email and sensitive documents — potentially exposing your employer up to data theft via social engineering. That’s why you need to protect your phone number.
It’s easier than you might think. You may think it involves hijacking the telco companies to obtain our information. Unfortunately, phone numbers can be found anywhere. When I say anywhere, it means literally anywhere, online or offline.
Let’s rewind our memory to a week ago. Anything come up when I say the word “Facebook” or “Clubhouse”? Yes, thanks to them, our phone numbers are readily more available to anyone, anywhere, no matter you like it or not.
Hackers often find the cell phone number of their target leaked online. But sometimes, it may be from something more low-tech like “dumpster-diving” — looking for a phone bill in the garbage). After that, they call up the victim’s carrier impersonating the customer.
“Port out scams” are huge for the entire telco industry in which a criminal impersonates to you and moves your current phone number to another cellular carrier (Via phone scamming or social engineering in general).
This process is known as “porting” and is intended to allow you to keep your phone number when you switch to a new cellular carrier. Any text messages and calls to your phone number are then sent to their phone instead of yours.
With a little practice on pretexting and a few simple questions answered — where a person lives or their date of birth, they can ask the customer service representative to “Port Out” the phone number to a new SIM card or a different carrier.
And that’s it. Once the phone number activates on an attacker’s SIM card, the hacker can send and receive SMS messages and make calls as if they were the person they just hacked — they become you at that moment.
Image by Jon Crel from Flickr | CC BY-ND 2.0
This is what we call “cell phone cloning.” First, the hacker uses an electronic scanner to detect the electronic identification number of the SIM card in a nearby phone.
There are different kinds of scanners, and they can be found on the dark web, among other places. Although scanners are relatively expensive and difficult to get, it is not impossible, and the ROI is high once you secure a way to obtain SIM cards.
Luckily, most phones have enhanced security mechanisms against cloning nowadays. If a hacker wants to clone your SIM card, physical access to the SIM card would likely be required. With physical access to the card, cloning is comparably fast and easy to do, notably for those on the GSM network where exchanging sim cards between phones is easy.
Once the “SIM cloner” (the hacker who obtain the data on your SIM card) has the following information:
It can then begin to use a SIM writer to make a duplicate SIM card.
SIM writers are legitimate tools and are easy and inexpensive to acquire (Search it on eBay or Amazon, anyone with $10 or $15 to spare can get one easily). Afterward, a hacker can put the duplicated SIM card in another phone and use that phone to make calls and connections under the original phone owner’s account — they become you at that moment.
A phishing message possibly related to the Facebook leaks | Copyright by the author
In most cases, the only sign that it occurred is when the victim suddenly loses cell service without a clear reason. At that moment, it’s as simple as launching password resets on accounts associated with the hacked phone number—Facebook, Gmail, Twitter, Paypal… and more.
If a hacker gets control of your mobile number, they can make your accounts vulnerable to secondary attacks because some services use SMS or a phone call for account recovery when you forget your password.
Knowing it by the news, a hacker can use your hijacked phone number to:
In the worst cases, it can be painful or nearly impossible to, like any other personal data, get your phone number back — let alone the accounts that were broken into. That s why the best way to limit the loss is to ensure it never happens in the first place.
Similar to applying two-factor authentication to online accounts, you can add a secondary security code to your cell phone account, too. You can either call up customer services or do it online.
You can ask customer service, for example, to set a secondary password on your account to ensure that only you can make any changes to the account or port out your number.
Every carrier manages secondary security codes differently. You may be limited in your password, passcode, or passphrase (but at least try to make it more than four to six digits. Otherwise, it is useless).
Make sure that:
Lastly, the code is easy to forget as not used very often. Therefore, make sure you can remember the code since the SIM card would be locked if you enter the incorrect PIN three consecutive times.
For the major carriers in the US (For more details, please refer to “You Should Really Add A PIN To Your Cellular Account.”):
Dial 611 from your T-Mobile phone or 1–800–937–8997, and you’ll be able to add a passcode with a six-digit minimum.
Go to vzw.com/PIN, call (800) 922–0204, or visit a store in person with government identification.
After logging on to your account online, click on your name in the upper right > View Profile > Sign-in Info > under Wireless passcode > select Manage extra security.
Extra security requires an additional passcode when you attempt to get online access to the account, discuss the account in any retail store, or call AT&T’s customer service line.
Sprint requires all of its customers to add a PIN and security questions to their accounts. You can update that information by logging on to Sprint.com > My Sprint > Profile and security > scroll to Security information > Save.
If your carrier isn’t listed here, you might want to check if they use a similar secondary security code to your account to prevent any abuse. And if they don’t, perhaps you should consider porting out your cell phone number to another one who does.
You can use several other methods as your second “factor” that is more protected than text message-based verification. As mentioned, providing your phone number to a 3rd-party introduce the risk of data leak and further hijack other accounts. With a little investment, you can de-couple your cell phone number as a second factor.
Using a physical token (or security key) only for this purpose could help, such as the ones from Yubico called Yubikeys and Titan from Google. Most security key providers offer different form factors like USB-A, USB-C, lightning, or Bluetooth. No matter which one you choose, it’s probably a physical thumb drive-shaped accessory that can fit on your keychain.
When authentication is required, you need to plug the key into a USB port on your device, or, if it has an NFC wireless chip in it, hold the key up to your NFC-enabled phone. You can use security keys as secure logins on platforms like Google, Facebook, Dropbox, Microsoft, and other sites that support FIDO or Y2F protocol.
The main problem with keys is service compatibility. Another problem would be losing or misplacing a security key. For example, if keys are lost or stolen for people who put them on their keys, account lockouts are likely. Therefore, when you set up your key, you should set up a second backup key if anything bad happens to the first.
You may already know how to use two-factor authentication to log into accounts. But may limit to using services that give a phone number or email address to receive a security code that requires active connections or phone services. This is a 2-factor authentication because:
Authenticator apps generate a time code to log into an account and provide stronger security without the added privacy concern of giving out a phone number. Moreover, you don’t need to be connected to the Internet to receive them, and they aren’t vulnerable to being hacked via SIM hijacking.
Some accounts request you use a specific authenticator app, while others let you choose. Popular options include Google Authenticator (Android, iOS) and Microsoft Authenticator, supporting multiple accounts, and Authy, which also supports a range of accounts and offers secure cloud backups.
Recently I was called by a scammer via my cellular phone. Although I realized it was a scam early enough, huge damage was done long before I recognized it — way back to the moment my phone number was stolen or leaked. As said, you could save yourself from this mess by protecting your cellular number.
After all, although I don’t want to admit it, my personal data was leaked. And yours will probably be, too. It’s becoming harder to hack user accounts as platforms strive for better security, but it is definitely not impossible. Prepare for the worst, and hopefully, it will never happen. If it really happens, have a plan and a backup, and maybe, merely, you will have a prayer.
Thank you for reading. May InfoSec be with you🖖.
Create your free account to unlock your custom reading experience.