How to protect your cell phone number and why you should care

Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done. You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with […]

Getty Images

Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.

You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. But unlike your Social Security number, you’re far less likely to keep your cell phone number a secret — otherwise nobody can contact you!

Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.

Why you need to protect your phone number

Your cell phone number is a single point of failure.

Think about it. You use your cell phone number all the time. You use it when you sign up to sites and services, and sometimes you’ll use it to log into an app or a game on your phone. Your phone number can be used to reset your account if you forget your password. And, you use it for two-factor authentication to securely login to your accounts.

If someone steals your phone number, they become you — for all intents and purposes. With your phone number, a hacker can start hijacking your accounts one by one by having a password reset sent to your phone. They can trick automated systems — like your bank — into thinking they’re you when you call customer service. And worse, they can use your hijacked number to break into your work email and documents — potentially exposing your employer up to data theft.

Just think of every site and service that has your phone number. That’s why you need to protect your phone number.

How do hackers steal cell phone numbers?

It’s easier than you might think. Phone numbers can be found anywhere – thanks in part to so many data breaches.

Often, hackers will find the cell phone number of their target floating around the internet (or from a phone bill in the garbage), and call up their carrier impersonating the customer. With a few simple questions answered — often little more than where a person lives or their date of birth, they ask the customer service representative to “port out” the phone number to a different carrier or a SIM card.

That’s it. As soon as the “port out” completes, the phone number activates on an attacker’s SIM card, and the hacker can send and receive messages and make calls as if they were the person they just hacked.

In most cases, the only sign that it happened is if the victim suddenly loses cell service for no apparent reason.

From there, it’s as simple as initiating password resets on accounts associated with that phone number. Facebook, Gmail, Twitter — and more. A hacker can use your hijacked phone number to steal all of your cryptocurrency, take over your vanity Instagram username or maliciously delete all of your data.

You can read what happened to TechCrunch’s own John Biggs when his phone number was hijacked.

In the worst cases, it can be difficult or impossible to get your phone number back — let alone the accounts that get broken into. Your best bet is to make sure it never happens in the first place.

What you can do to protect your phone number

Just like you can apply two-factor authentication to your online accounts, you can add a secondary security code to your cell phone account, too.

You can either call up customer services or do it online. (Many feel more reassured by calling up and talking to someone.) You can ask customer service, for example, to set a secondary password on your account to ensure that only you — the account holder — can make any changes to the account or port out your number.

Every carrier handles secondary security codes differently. You may be limited in your password, passcode or passphrase, but try to make it more than four to six digits. And make sure you keep a backup of the code!

For the major carriers:

If your carrier isn’t listed, you might want to check if they employ a similar secondary security code to your account to prevent any abuse. And if they don’t, maybe you should port out your cell phone number to a carrier that does.

Check out our full Cybersecurity 101 guides here.

Instagram’s app-based 2FA is live now, here’s how to turn it on

If you’d like to be sure you’re the only one posting elaborately staged yet casual selfies to your Instagram feed, there’s now a powerful new option to help you keep your account safe. In late September, Instagram announced that it would be adding non SMS-based two-factor authentication to the app. Instagram confirmed to TechCrunch that […]

If you’d like to be sure you’re the only one posting elaborately staged yet casual selfies to your Instagram feed, there’s now a powerful new option to help you keep your account safe.

In late September, Instagram announced that it would be adding non SMS-based two-factor authentication to the app. Instagram confirmed to TechCrunch that the company rolled out the security feature last week and that non-SMS two-factor authentication is live now for all users.

Enabling two-factor authentication (2FA) adds an additional “check” to an account so you can be sure you’re the only one who can log in. Instagram previously only offered less secure SMS-based 2FA, which is vulnerable to SIM hijacking attacks but still better than nothing.

Now, the app supports authenticator apps that generate a code or send a user a prompt in order to prove that they are in fact the authorized account holder. When it’s available, enabling 2FA is one of the easiest, most robust basic security precautions anyone can take to protect any kind of account.

If you’d like to enable app-based 2FA now, and you really should, here’s how to do it.

Open Instagram and navigate to the Settings menu. Scroll down into the Privacy and Security section and select Two-Factor Authentication. There, you’ll see two toggle options: Text Message and Authentication App. Choose Authentication App. On the next screen, Instagram will either detect existing authentication apps on your device, invite you to download one (Google Authenticator by default, Authy is a fine option too) or allow you to set up 2FA manually. Follow whichever option works best for you.

You’ll be asked to authenticate the device you’re on now, but you won’t have to do this every time for trusted devices once they have been authenticated. See? Not so bad. It was a long time for such a popular, well-resourced app to leave users unprotected by proper 2FA, but we’re glad it’s here now.

Additional reporting by Sarah Perez.

Watchdog says face scanning at US airports is plagued with technical problems

A watchdog report has warned that Homeland Security’s face scanning program, designed to track all departing travelers from the US, is facing “technical and operational challenges” that may not see the system fully working by the time of its estimated completion in 2021. The report by Homeland Security’s inspector general said that although Customs and […]

A watchdog report has warned that Homeland Security’s face scanning program, designed to track all departing travelers from the US, is facing “technical and operational challenges” that may not see the system fully working by the time of its estimated completion in 2021.

The report by Homeland Security’s inspector general said that although Customs and Border Protection (CBP) was making “considerable progress” in rolling out the facial scanning technology, the program is dogged with problems.

CBP has been on a years-long effort to roll out facial recognition at US airports, trialing one airport after the other with the help of airlines, in an effort to track passengers as they leave the US. Although citizens can opt-out, the biometric scanning is mandatory for all foreign nationals and visitors. CBP is using the system to crack down on those who overstay their visas, but critics say the system violates privacy rights.

Currently in nine airports, the facial recognition program is set to be operational in the top 20 airports by 2021. But the inspector general report out Tuesday said that the government may miss that target.

“During the pilot, CBP encountered various technical and operational challenges that limited biometric confirmation to only 85 percent of all passengers processed,” the report said. “These challenges included poor network availability, a lack of dedicated staff, and compressed boarding times due to flight delays.”

The report said that the scanners failed to “consistently match individuals of certain age groups or nationalities.”

Although the system detected 1,300 visitors overstaying their allowed time in the US, the watchdog seemed to suggest that more overstays would have been found if the system wasn’t running under capacity at an 85 percent success rate.

As a result, CBP “may be unable to meet expectations for achieving full operational capability, including biometrically processing 100 percent of all international passengers at the 20 busiest airports,” the report said.

Staffing issues and a lack of certainty around airline assistance are also throwing the program into question. After all, CBP said that it will rely on the airlines to take the facial scans, while CBP does the background checks behind the scenes. But CBP’s “plans to rely upon airport stakeholders” for equipment purchases, like digital cameras needed for taking passenger photos at boarding gates “pose a significant point of failure” for the program, the report read.

“Until CBP resolves the longstanding questions regarding stakeholder commitment to its biometric program, it may not be able to scale up to reach full operating capability by 2021 as planned,” the report said.

Although the CBP disagreed, the agency said it would “develop an internal contingency plan” in case airlines and airports decline to help.

A CBP spokesperson did not return a request for comment.

Delta to start scanning faces at airport check-in

Delta will later this year roll out facial recognition at its terminal at Atlanta International Airport for anyone traveling on an international flight. The airline said the biometric facial scanning is optional — a move that will shave off a few minutes off each flight — but will help border and pre-flight security authorities before […]

Delta will later this year roll out facial recognition at its terminal at Atlanta International Airport for anyone traveling on an international flight.

The airline said the biometric facial scanning is optional — a move that will shave off a few minutes off each flight — but will help border and pre-flight security authorities before jetting out of the US. It’s the latest roll-out of facial recognition trials at Detroit Metropolitan and New York John F. Kennedy airports.

What might be convenient to some, to others it’s a privacy violation — and some argue that without approval from Congress, it could be illegal.

Facial recognition at airports is a controversial move, one that’s been decried over the past year since it first rolled out last year. Six major US airports completed trials as part of a wider rollout — aimed to be completed by today. CBP relies on airlines to collect facial recognition data, something Delta doesn’t shy away from. The airline said facial recognition “is a natural next step following CBP and Delta’s optional facial recognition boarding tests” at Atlanta.

Customs and Border Protection has previously said that the move was to crack down on those who overstay their visas, but privacy advocates said that it steps on privacy rights.

Delta said that travelers who don’t want their faces will be given several opportunities to opt-out, Delta spokesperson Kathryn Steele told TechCrunch, and can continue to “proceed normally” through security.

CBP spokesperson Jennifer Gabris said that only US citizens can opt out, and will have their documents checked manually.

Homeland Security, which oversees border security, struck a different tone when last year it said that anyone who wanted to opt out of having their faces scanned should “refrain from traveling.”

Biometric data collected by Delta is stored by the government for two weeks, but exit records on citizens and green card holders are held for 15 years, and 75 years for non-immigrant visitors.

If that makes you uneasy, don’t expect the rollout to slow any time soon. Homeland Security continues to expand the program and is expected to roll out to land borders. Airport biometric scanners last month caught a traveler with a fake passport after using the facial scanners at Washington Dulles airport.

Even with one success story in the bag, it’s a tough sell to convince the government to pull back now.