Increasingly, consumers are sharing their mobile phone numbers to retrieve and change lost passwords, set up new accounts, verify identity, and even for something as simple as securing a dinner reservation. Mobile phone text-based verification has proven extremely convenient but imagine if someone else had access to all of those text messages delivering secret codes required to verify our identities.
While not new, cell phone porting has recently gained traction as yet another way for scammers to hack into your systems, including bank accounts. The most alarming part of this scam is that it can allow hackers to get past added security measures on personal and financial accounts and logins by intercepting the one-time password that many companies send via text message to the mobile device to perform two-factor authentication.
How Does Porting Work?
Once a scammer has your name and phone number, they will attempt to gather personal information such as address, social security number, date of birth, etc. that can be used to impersonate you. Once obtained, they then contact your mobile provider, claim to be you, report your phone as stolen or lost and then request the number be “ported” with another provider and device. Surprisingly (and unfortunately), mobile carriers often grant this request and forgo formal verification procedures.
All calls and texts are then forwarded to the new device and the original phone – your phone — is shut off. Once in control of the mobile number, thieves can request second factor authentication be sent to the newly activated device, such as a one-time code sent via text message or an automated call that reads the one-time code aloud. This enables them to access accounts that require additional security authorization such as email, financial accounts, medical records, social networks – anything you might need to access with a password!
You may not know you are a victim of porting until your phone has lost service and you no longer can access important accounts since the hackers have changed passwords. A phone might also switch to “Emergency Calls Only” status, which is what happens when a phone number has been transferred to another phone.
There are several steps you can take to protect yourself from falling victim to porting scams:
Contact your Wireless Provider About Port-out Authorization
Most major wireless providers offer an extra layer of security that customers can request, like a unique PIN or verification code, that only you have. This code or PIN must be provided before any changes can be made to your account.
Use Two Phone Numbers
Have two different phone numbers that you use in different ways. Have one number that you give out freely and another one that you never give out and use only as a backup verification tool. You can do this using a free online service, eliminating the need for an additional costly phone plan. Do not share this number with anyone – if it is shared just once it is considered public information! You can’t trust that the other person’s phone is secure or that they won’t share it.
Utilize Apps for Verification
Whenever there is the option, choose the app-based alternative for authentications. Many companies now support third-party authentication apps which can act as powerful two-factor authentication alternatives that are not nearly as easy for thieves to intercept.
In addition to these precautions, be vigilant about communications you receive and watch for alert messages from financial institutions, and texts in response to two-factor authorization requests, especially if you did not initiate the request. Also, if your phone switches to “Emergency Calls Only” mode, it is a sign the number has been compromised. If you do find yourself a victim of this type of scam, contact your mobile provider and financial institutions immediately.
The rise of porting attacks serves as a warning that we not only need to keep our emails secure, but we also need to keep our phone numbers more secure. To protect yourself, consider alternative forms of authentication other than a text message.