Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.
You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. But unlike your Social Security number, you’re far less likely to keep your cell phone number a secret — otherwise nobody can contact you!
Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.
Why you need to protect your phone number
Your cell phone number is a single point of failure.
Think about it. You use your cell phone number all the time. You use it when you sign up to sites and services, and sometimes you’ll use it to log into an app or a game on your phone. Your phone number can be used to reset your account if you forget your password. And, you use it for two-factor authentication to securely login to your accounts.
If someone steals your phone number, they become you — for all intents and purposes. With your phone number, a hacker can start hijacking your accounts one by one by having a password reset sent to your phone. They can trick automated systems — like your bank — into thinking they’re you when you call customer service. And worse, they can use your hijacked number to break into your work email and documents — potentially exposing your employer up to data theft.
Just think of every site and service that has your phone number. That’s why you need to protect your phone number.
How do hackers steal cell phone numbers?
It’s easier than you might think. Phone numbers can be found anywhere – thanks in part to so many data breaches.
Often, hackers will find the cell phone number of their target floating around the internet (or from a phone bill in the garbage), and call up their carrier impersonating the customer. With a few simple questions answered — often little more than where a person lives or their date of birth, they ask the customer service representative to “port out” the phone number to a different carrier or a SIM card.
That’s it. As soon as the “port out” completes, the phone number activates on an attacker’s SIM card, and the hacker can send and receive messages and make calls as if they were the person they just hacked.
In most cases, the only sign that it happened is if the victim suddenly loses cell service for no apparent reason.
From there, it’s as simple as initiating password resets on accounts associated with that phone number. Facebook, Gmail, Twitter — and more. A hacker can use your hijacked phone number to steal all of your cryptocurrency, take over your vanity Instagram username or maliciously delete all of your data.
You can read what happened to TechCrunch’s own John Biggs when his phone number was hijacked.
In the worst cases, it can be difficult or impossible to get your phone number back — let alone the accounts that get broken into. Your best bet is to make sure it never happens in the first place.
What you can do to protect your phone number
Just like you can apply two-factor authentication to your online accounts, you can add a secondary security code to your cell phone account, too.
You can either call up customer services or do it online. (Many feel more reassured by calling up and talking to someone.) You can ask customer service, for example, to set a secondary password on your account to ensure that only you — the account holder — can make any changes to the account or port out your number.
Every carrier handles secondary security codes differently. You may be limited in your password, passcode or passphrase, but try to make it more than four to six digits. And make sure you keep a backup of the code!
For the major carriers:
- AT&T has a guide on how to set up extra security on your account.
- T-Mobile allows you to set up a customer passcode.
- Verizon explains how you can add a PIN to your account.
- Sprint also lets you add an account PIN for greater security.
If your carrier isn’t listed, you might want to check if they employ a similar secondary security code to your account to prevent any abuse. And if they don’t, maybe you should port out your cell phone number to a carrier that does.
Check out our full Cybersecurity 101 guides here.