“As bad as we are at remembering names and phone numbers and word-for-word instructions from our colleagues, we have really exceptional visual and spatial memories.” 2006 U.S.A. Memory Champion — Joshua Foer, If Someone Steals Your Phone Number, They Become You. Assuming you read my previous article and learned how to limit your exposure online. You set up a password manager and enabled multi-factor authentication for your accounts. There is more to be done to keep you safe. You might think your ID number or bank account numbers are the most sensitive digits. Sadly, with only your cell phone number, hackers can do far more damage with little effort. A Free Beginner’s Guide to DNS Security for Work From Home (WFH) However, unlike your ID or Social Security number, you’re less likely to keep your cell phone number a secret; otherwise, nobody can reach you! No matter which Telco service you are using, every cell phone number can become a target for stealing. Let’s take a look at the most direct way to protect it and the reason why we should think twice before giving our phone number, online or offline. A Single Point of Failure — Why You Need to Protect Your Cell Phone Number Let’s Take a Closer Look At Your Daily Life With Cell Phone We spend most of our time on this little device; no matter we are waiting, in the elevator, walking, or in the toilet. It is with us all the time, anytime, anywhere. Not just that, we also use our phones to ease our life. When signing up to sites or services, often it may require our phone number . Sometimes we even use it to log into apps and games directly. Our phone number is also the last resort to while forgetting passwords. Needless to say, it is also a way to prove “something you have/know” in for verification reset your accounts multi-factor authentication. Think Of Every Site and Service That Has Your Phone Number With your phone number, With your phone number, they can fool automated systems, like the self-service call desk of your bank, into believing they’re you when you call customer service. a hacker can begin hijacking your accounts by making a password reset sent to your phone one by one. And the worst part is, they can use your hijacked phone number to break into your work email and sensitive documents — potentially exposing your employer up to data theft via social engineering. That’s why you need to protect your phone number. If Someone Steals Your Phone Number, They Become You It’s easier than you might think. You may think it involves hijacking the telco companies to obtain our information. Unfortunately, phone numbers can be found anywhere. When I say anywhere, it means literally anywhere, online or offline. . Anything come up when I say the word or ? Yes, thanks to them, our phone numbers are readily more available to anyone, anywhere, no matter you like it or not. Let’s rewind our memory to a week ago “Facebook” “Clubhouse” Understanding The Facebook Data Leak: 533,000,000 Facebook Records Were Lea How Does a Hacker Steal Cell Phone Numbers? Hackers often . But sometimes, it may be from something more low-tech like — looking for a phone bill in the garbage). After that, they call up the victim’s carrier impersonating the customer. find the cell phone number of their target leaked online “dumpster-diving” Port Out Scam “ ” are huge for the entire telco industry in which a criminal impersonates to you and moves your current phone number to another cellular carrier (Via phone scamming or social engineering in general). Port out scams This process is known as and is intended to allow you to keep your phone number when you switch to a new cellular carrier. Any text messages and calls to your phone number are then sent to their phone instead of yours. “porting” With a little practice on and a few simple questions answered — where a person lives or their date of birth, they can ask the customer service representative to “Port Out” the phone number to a new SIM card or a different carrier. pretexting And that’s it. Once the phone number activates on an attacker’s SIM card, the hacker can send and receive SMS messages and make calls as if they were the person they just hacked — they become you at that moment. There’s Another Way — With an Investment Image by from Flickr | CC BY-ND 2.0 Jon Crel This is what we call .” First, the hacker uses an electronic scanner to detect the electronic identification number of the SIM card in a nearby phone. “cell phone cloning There are different kinds of scanners, and they among other places. Although scanners are it is not impossible, and the ROI is high once you secure a way to obtain SIM cards. can be found on the dark web, relatively expensive and difficult to get, Luckily, most phones have enhanced security mechanisms against cloning nowadays. If a hacker wants to clone your SIM card, physical access to the SIM card would likely be required. With physical access to the card, cloning is comparably fast and easy to do, notably for those on the GSM network where exchanging sim cards between phones is easy. Once the “SIM cloner” (the hacker who obtain the data on your SIM card) has the following information: The SIM serial number (SSN) Authentication key It can then begin to use a SIM writer to make a duplicate SIM card. SIM writers are legitimate tools and are easy and inexpensive to acquire (Search it on eBay or Amazon, anyone with $10 or $15 to spare can get one easily). Afterward, a hacker can put the duplicated SIM card in another phone and use that phone to make calls and connections under the original phone owner’s account — they become you at that moment. What’s Next? A phishing message possibly related to the Facebook leaks | Copyright by the author In most cases, the only sign that it occurred is when the victim suddenly loses cell service without a clear reason. At that moment, it’s as simple as launching password resets on accounts associated with the hacked phone number—Facebook, Gmail, Twitter, Paypal… and more. If a hacker gets control of your mobile number, they can make your accounts vulnerable to secondary attacks because some services use SMS or a phone call for account recovery when you forget your password. Knowing it by the news, a hacker can use your hijacked phone number to: steal all of your cryptocurrency maliciously delete all of your data take over your vanity Instagram username further phishing via the contact information on SIM In the worst cases, it can be painful or nearly impossible to, like any other personal data, get your phone number back — let alone the accounts that were broken into. That s why the best way to limit the loss is to ensure it never happens in the first place. What You Can Do to Protect Your Cellular Number Image by from tomekwalecki Pixabay 2FA for Your SIM Similar to applying two-factor authentication to online accounts, you can add account, too. You can either call up customer services or do it online. a secondary security code to your cell phone You can ask customer service, for example, to set a secondary password on your account to ensure that only you can make any changes to the account or port out your number. Every carrier manages secondary security codes differently. You may be limited in your password, passcode, or passphrase (but at least try to make it more than four to six digits. Otherwise, it is useless). Make sure that: You are reusing a passcode from another account NOT It is the last four digits of your ID/ Social Security number because it’s . NOT likely for sale on the black market already Lastly, the code is easy to forget as not used very often. Therefore, since the SIM card would be locked if you enter the incorrect PIN three consecutive times. make sure you can remember the code For the major carriers in the US (For more details, please refer to “ ”): You Should Really Add A PIN To Your Cellular Account. T-Mobile Dial 611 from your T-Mobile phone or 1–800–937–8997, and you’ll be able to add a passcode with a six-digit minimum. Verizon Go to , call (800) 922–0204, or visit a store in person with government identification. vzw.com/PIN AT&T After logging on to your account online, click on your name in the upper right > View Profile > Sign-in Info > under Wireless passcode > select Manage extra security. Extra security requires an additional passcode when you attempt to get online access to the account, discuss the account in any retail store, or call AT&T’s customer service line. Sprint Sprint requires all of its customers to add a PIN and security questions to their accounts. You can by logging on to Sprint.com > My Sprint > Profile and security > scroll to Security information > Save. update that information If your carrier isn’t listed here, you might want to check if they use a similar secondary security code to your account to prevent any abuse. And if they don’t, perhaps you should consider porting out your cell phone number to another one who does. Review SMS-Based 2FA of All Accounts Image by from Markus Bergen Pixabay You can use several other methods as your second “factor” that is more protected than text message-based verification. As mentioned, providing your phone number to a 3rd-party introduce the risk of data leak and further hijack other accounts. With a little investment, you can de-couple your cell phone number as a second factor. Security Keys Using a physical token (or security key) only for this purpose could help, such as the ones from Yubico called and from Google. Most security key providers offer different form factors like USB-A, USB-C, lightning, or Bluetooth. No matter which one you choose, it’s probably a physical thumb drive-shaped accessory that can fit on your keychain. Yubikeys Titan When authentication is required, you need to plug the key into a USB port on your device, or, if it has an NFC wireless chip in it, hold the key up to your NFC-enabled phone. You can use security keys as secure logins on platforms like , , , , and other sites that . Google Facebook Dropbox Microsoft support FIDO or Y2F protocol The main problem with keys is service compatibility. Another problem would be losing or misplacing a security key. For example, if keys are lost or stolen for people who put them on their keys, account lockouts are likely. Therefore, when you set up your key, you should set up a second backup key if anything bad happens to the first. 3rd Party Authenticator Apps You may already know how to use two-factor authentication to log into accounts. But may limit to using services that give a phone number or email address to receive a security code that requires active connections or phone services. This is a 2-factor authentication because: The phone with the app installed — Something you have. The time code in the app — Something you know. It also proves you have the device at the time period. Authenticator apps generate a time code to log into an account and provide stronger security . Moreover, you don’t need to be connected to the Internet to receive them, and they aren’t vulnerable to being hacked via SIM hijacking. without the added privacy concern of giving out a phone number Some accounts request you use a specific authenticator app, while others let you choose. Popular options include ( , ) , supporting multiple accounts, and , which also supports a range of accounts and offers secure cloud backups. Google Authenticator Android iOS and Microsoft Authenticator Authy Final Words — Learn From the Mistakes Recently I was called by a scammer via my cellular phone. Although I realized it was a scam early enough, huge damage was done long before I recognized it — way back to the moment my phone number was stolen or leaked. As said, you could save yourself from this mess by protecting your cellular number. About My Recent Encounter With a Credit Card Scammer After all, although I don’t want to admit it, my personal data was leaked. And yours will probably be, too. It’s becoming harder to hack user accounts as platforms strive for better security, but it is definitely not impossible. Prepare for the worst, and hopefully, it will never happen. If it really happens, have a plan and a backup, and maybe, merely, you will have a prayer. Thank you for reading. May InfoSec be with you🖖.

Amazon

AT&T

Dropbox

eBay

Facebook

Google

Instagram

Microsoft

Rewind

Target

Twitter

The Privacy Paradox: Do We Really Have Nothing to Hide?

Oxidative Priority: Understanding the Science Behind Fat Loss

2021 - HackerNoon Contributor of the Year - CULTURE

Support Me on Coil

2021 - HackerNoon Contributor of the Year - PERSONAL-DATA

Nominated for 2022 - HackerNoon Contributor of the Year - Cybersecurity

Nominated for 2022 - HackerNoon Contributor of the Year - Security

Nominated for 2022 - HackerNoon Contributor of the Year - Privacy

Nominated for 2022 - HackerNoon Contributor of the Year - Beginners Guide

Nominated for 2022 - HackerNoon Contributor of the Year - Containers

Nominated for 2022 - HackerNoon Contributor of the Year - Data Privacy

Too Long; Didn't Read

Why You Should Protect Your Cell Phone Number and How to Do It

Why You Should Protect Your Cell Phone Number and How to Do It

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Does the FCC Protect Phone Companies From Valid Health Criticisms?

How to Manage Your Technology and Reduce Your Digital Distractions

I want my cellphone to be a drone and a moon-ball.

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Does the FCC Protect Phone Companies From Valid Health Criticisms?

How to Manage Your Technology and Reduce Your Digital Distractions

I want my cellphone to be a drone and a moon-ball.

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps