Hackers have figured out that stealing people’s phone numbers is easier and more profitable than stealing their phone (in part because they don’t have to be anywhere near you or your phone in order to steal the number).
Recently I wrote about a bitcoin investor (AKA speculator) who is suing AT&T for $240 million because the let someone steal his cell phone number. Once he did that, he was able to reset the password for his bitcoin wallet and sell $23 million of his Bitcoin.
While this is a major international issue, authorities in California have arrested a 19 year old who was stealing phone numbers to empty people’s bank accounts and other fun stuff.
This is the third reported arrest this month, which while good, won’t even make a tiny dent in the problem.
This guy is charged with stealing over $1 million in virtual currency and using it to purchase luxury items like a McLaren for $200,000.
So what can you do?
Most people discover the problem when their phone loses service. Note that if you are connected to WiFi, that will continue to work even if you phone number is ported, but you won’t be able to make or receive calls or send or receive texts. Anything that works with data like Whatsapp or Signal or web browsing will continue to work after your number is stolen. If that happens, contact your carrier immediately.
Assuming your carrier allows for this, set up a password on your account. The password should be required if a hacker tries to steal your number. In the case of the guy that is suing AT&T they didn’t ask the hacker for it – that dramatically weakens the phone company’s defense.
In the AT&T case, they are saying that they are not required to follow their own procedures. I suspect that a jury is not likely to agree with that theory when a customer is damaged as a result.
If you have a high risk account like a bank account, brokerage account or Bitcoin account, you need to protect that account with two factor authentication and DO NOT use text messages as the second factor because if someone steals your phone NUMBER they will be getting those text messages, not you. Use one of the many authenticator apps like Google Authenticator or Microsoft Authenticator. In that case, someone would need to steal the physical phone and hack the screen lock to empty your bank account. That would be much harder.
If you can get a high risk provider to disable to easy for hackers to use password reset function (just click here and we will send you a text, then you can reset your password – simple for you but also simple for a hacker) – then do that too.
Many times the providers call center or store people are not very well trained on security, so you may have to be persistent, but remember, it is your money that you are protecting.
Information for this post came from Krebs on Security .