SIM-swapping attacks present a potential risk to all mobile phone users. With this type of fraud, a hacker is able to take control of your phone number, allowing them to intercept phone calls and text messages, including multi-factor authentication codes. From there, they can access your personal information, hijack your accounts, and even steal your identity. Fortunately, there are ways to guard against SIM-swapping attacks.
As a few examples, you can establish a strong password, create a PIN for your account, set up the right type of multi-factor authentication for your mobile account, and watch out for phishing attempts. But the major mobile carriers also provide tools and settings that you can enable to thwart SIM swapping. Let’s look at your options.
What Are SIM-Swapping Attacks?
Also called SIM splitting or simjacking, these types of attacks typically start with a hacker who gains access to your personal data, including your name, phone number, date of birth, address, and even your Social Security number. Armed with all that information, the hacker contacts your cellular carrier and pretends to be you. From there, they convince a support person to transfer your phone number to their own mobile device.
Once your number is associated with the hacker’s phone, they have free rein to commit all kinds of fraud. They can access your account, snoop on your personal data, and capture your communications. Worst of all, they’re able to intercept SMS-based authentication codes and other notifications to gain entry into more of your accounts as a prelude to identity theft.
As SIM-swapping attacks have become more ubiquitous over the years, the FBI and other agencies have increasingly warned people about them, while the FCC has tried to strengthen the rules for how carriers handle phone number transfers. Each of the three major US providers—Verizon, AT&T, and T-Mobile—now offer ways to lock or protect your phone number from unauthorized transfers. Here’s how to safeguard your mobile number from SIM swapping.
1. Set Up a PIN or Password
Want to make changes to your account? Many carriers require you to create a PIN or password that is separate from the regular password you use to sign in to your account. Anyone who calls your carrier or logs in to your account must provide this PIN or password to make changes. To set this up, sign in to your account and look for this option under the security settings. If in doubt, call your carrier to ask how to set it up. Just be sure to write down or store the PIN or password somewhere safe so that you can retrieve it when you need it.
2. Avoid SMS-Based Authentication
Adding two-factor authentication is a smart move because that extra layer of security comes into play every time you, or someone pretending to be you, tries to access your account. You have several options here, but be aware that the type of 2FA you choose makes a big difference. SMS-based authentication, where you receive a text message from your carrier, is the least secure method because hackers can easily intercept them.
Instead, go with an authenticator app or physical security key, which are much more secure. To set this up, find your account’s security settings page, then look for an authentication option. If you can find these more secure methods, you’ll be able to scan a QR code to connect an authenticator app or set up your security key.
3. Choose a Strong and Unique Password
This is always sound advice for any type of account, but especially one that could be compromised through SIM swapping. When creating or changing your account password, be sure to pick one that’s strong. That means a mix of alphanumeric characters or a passphrase. Your best bet is to turn to a password manager to create, store, and apply your passwords. You also want it to be unique, so don’t reuse passwords. If another account of yours is compromised, you don’t want a hack to use those stolen credentials elsewhere.
4. Careful What You Post
Never publicly share personal information such as your phone number, home address, or email address. Scammers often check social media and other platforms looking for such private data. By matching this information with a compromised password, they can more easily access your mobile account where they could modify the security settings.
5. Watch What You Message
By default, email isn’t secure. Text messaging has become more secure in recent years—thanks to the proliferation of end-to-end encryption and secure messaging apps, like Signal—but there are still gaps in the system. For example, texts between an iPhone and Android phone aren’t encrypted. For that reason, be cautious about the details you share in an email or text. Avoid sending messages that include your Social Security number, bank and investment account numbers, driver’s license or passport numbers, or passwords.
6. Never Respond to Unexpected Requests
In a phishing scam, scammers like to use a variety of methods to convince you to share personal or financial details. You may receive a text, email, or even a phone call. Any link you click on may take you to a malicious website that is made to look legitimate. Typically, the scammer will impersonate a business or service that you use, hoping to get you to divulge account information. Once you sign in using your credentials, the scammer has captured your information and can then use it freely. If you receive an unexpected request for certain account details, don’t fall for it. Instead, contact the company separately to find out whether the request is legitimate.
7. Activate Your Carrier’s SIM Protection
Finally, and perhaps most importantly, enable your carrier’s SIM protection to guard against unauthorized phone number transfers. Here’s how to do this across the three major carriers.
Verizon
Verizon offers SIM protection and Number Lock, both of which you should enable. SIM protection prevents any unauthorized SIM or device changes on your phone number. To make any changes to your SIM or phone, you’d first have to disable SIM protection. Number Lock prevents any unauthorized swap of your mobile number. Sign in to your account at the Verizon website or from the My Verizon app. Select Account Overview > Profile & settings > SIM Protection, then turn it on for each mobile device on your plan and save the changes. Next, click Number Lock and do the same. When done, save the changes.
AT&T
AT&T offers a free method called Wireless Account Lock, which prevents unauthorized account changes, billing updates, and wireless number transfers. After enabling this feature, you’d need to disable it to make modifications to your account or phone number. To set this up, fire up the myAT&T app, select Service > Mobile Security > Wireless Account Lock, then pick the account you want to lock and swipe it to lock.
T-Mobile
T-Mobile’s SIM Protection prevents unauthorized number transfers and port-outs that transfer the number to a different provider. To enable this, sign in to your T-Mobile account at the website or through the T-Life app. Note that the T-Life app currently supports only postpaid accounts. At the website, head to your profile page and select Settings > Security > SIM Protection and enable the feature for any number you wish to protect, then select Save Changes.
Source: By Lance Whitney pcmag.com
