If you’ve switched phone carriers before, you’re probably familiar with the fact that you can keep your own phone number. This process is called “porting,” and scammers are using this as a technique to gain access to your online accounts.
That’s right. Without proper security in place, scammers can essentially call up your carrier and pretend to be you—stealing your phone number by moving it to a new carrier and shutting off your phone service while they’re at it.
We’ve worked with several people who have dealt with this in the past few months—especially those with T-Mobile, but also including other carriers. Since this attack is so dangerous and awareness is still low, we want to help spread the word about what it is and how to prevent it.
So how does it work?
Typically, attackers will make phony port-out requests once they’ve already stolen one or more passwords from you—your login to your phone carrier’s website or your email are common targets. If your account credentials were leaked in a data breach, this increases your chances of falling victim to a port-out scam.
Your phone carrier (hopefully) won’t just authorize a port-out request to anyone—the attacker will have to provide some information (password, PIN code) and may use social engineering techniques to convince the customer service representative that they are you.
Once the number has been ported out, all of your calls and texts will be forwarded to the new device, where attackers can then intercept passcodes that may be texted to your phone as a method of two-factor authentication and gain access to your online accounts.
You might not know this is happening until your device has lost service. But once this happens, seek help immediately. Thieves may be able to change your passwords, steal money from your accounts, and use all of your personal information against you.
What can I do to prevent this?
Of course, the first step is making sure you have two-factor authentication enabled on all accounts and regularly changing your passwords.
When given the opportunity, use an authenticator app for two-factor authentication instead of a SMS text message. Text messages are convenient in the short-term, but third-party authentication apps like Google Authenticator and Authy make it much harder for thieves to break into your accounts.
Most carriers have you set a PIN when you create an account (one that’s required whenever someone makes a change to your account). Make sure you’ve set up a strong PIN and keep that information private.
However, some carriers, like AT&T, may use the last four digits of your social security into your default PIN, so you want to make sure it’s something completely unique, too. (Hint: birthdays, anniversaries, and PINs like “12345” are not secure.)
Don’t have a PIN? Call your carrier’s customer service or set one up online—and ask about other methods to secure your account while you’re at it.
T-Mobile, AT&T, and other mobile carriers are reminding customers to take advantage of their free services to help block identity thieves from easily porting your number to another provider. Every provider is aware of this and every one has a different solution.
As for what you do from there? That’s definitely your call.