The major mobile phone carriers, T-Mobile, AT&T, Sprint, and Verizon, have a warning for their customers: thieves are trying to “port” your telephone number to another carrier, which allows them to steal your identity, messages and call information. The major carriers admit that this has been an issue in the industry for a number of years. But, it seems to be happening more and more.
There are laws in place that force mobile carriers to allow their customers to port their numbers from one carrier to another. This is why it’s so easy to switch from one carrier to another without the hassle of getting a new phone number. But, when criminals are able to get their hands on this information, it could spell trouble.
How Does It Happen?
Even though porting a number is nothing new, there have been a lot more attempts in recent years. Basically, the bad guys are first stealing the password for a customer’s mobile account, and then they are using a fake number (from a burner phone) to request a port to a new carrier. When this happens, the carrier sends a one-time use password to the burner phone. When it’s used, the real customer’s phone is then shut off, and the crook forwards all messages and calls to a new device. Once they have this, they pretend they are the customer, and can then get all calls sent to a new number, including any “two-step verification” texts to login to various accounts the victim posses.
What do the criminals do once they have access to your phone calls and messages? They use them to gain access to other accounts, such as your credit card or bank accounts.
Most of the time, people who fall victim to this don’t even realize that this has happened to them until they notice that they no longer have service. By that time, the crook has had enough time to not only change all of your passwords on other accounts, they also have time to steal your money and gain access to other pieces of information, such as your Social Security number or any account number associated with any account your phone may be connected to.
Here’s how to protect yourself based on your mobile phone carrier:
- Sprint: If you are a Sprint customer, the only way to port a number is by providing a PIN, which you should have created during the initial setup of your account. To change to another carrier, you must provide this PIN and your phone number. So, if a criminal doesn’t have your PIN, they can’t port the number.
- AT&T: AT&T offers a type of two-factor authentication for its customers. It includes a passcode for your account. Neither you nor a bad guy, can make any changes to your AT&T account without providing this code. As with any code, however, make sure that when you set it up you are making it hard to guess and fully unique. Don’t choose, for instance, the year you were born or the numbers of your address. These are way too easy for someone to guess. Also, the default passcode is the last four digits of your Social Security number, so make sure to change this to something else.
- Verizon: If you are a Verizon customer, you also have a PIN or password that is required for porting. You can set this PIN, or change it, by going into a local Verizon store or setting it online at VerizonWireless.com.
- T-Mobile: For the T-Mobile customers out there, you can protect yourself by adding a port validation feature to your accounts. You can do this by calling 800-937-8997 or dialing 611 from your mobile phone. Ask to set up the port validation feature. You can then set up a code, up to 15-digits, which is required before a port is approved.
The main lesson here is that you should definitely be using something more than just a one-time code or a text if you want to get into your accounts. If you have the option, you should always use an app-based one. These actually are third-party authentication apps, such as Authy and Google Authenticator. This takes two-factor authentication and pushes it up a notch. Also, the mobile carriers are continuing to improve their security options for their customers. This will help all of us stay one step ahead of the cybercriminals.