Your cell phone number is more important and less secure than your Twitter password
It’s shockingly easy for hackers to hijack your digital life using phone numbers. The public should press Congress and carriers to improve security.
On July Fourth, hackers accessed computers at the social media aggregator Timehop. They stole 21 million user records. Timehop executives quickly realized that the most sensitive compromised records weren’t email addresses, names or even dates of birth. Their top concern was the 4.9 million stolen customer phone numbers.
The mobile phone number has become society’s primary authentication token. If you forget the password to your bank account, you recover it by entering the digits texted to your phone number. That’s how the bank “knows” you’re you.
Compared with email and online banking, there’s almost no security to protect a phone number from being stolen. Using information and tools available easily and cheaply online, “SIM swapping” attacks can be mounted against any phone number.
Once the bad guys have hijacked your phone number, they can reset your email password and lock you out while they systematically take over your online banking, retirement accounts, photos … every aspect of your digital life. Regaining control can take days — and you might never get back easily transferred assets, like cryptocurrency.
These hacks are the new normal
Once the stuff of dystopian fiction, these attacks now occur quite a bit. Last year, Cody Brown lost thousands while he struggled to convince his phone carrier he was not the person who ported his phone number. A similar attack was launched against venture investor Fred Wilson. He caught it in time, but locking down his cyberlife while in Europe with his family was a huge scramble.
Recently, adult film stars have been under attack. Try as they might, they haven’t gained much attention outside the information security community.
The online world considers mobile numbers more fundamental to identification than Social Security numbers. Yet carriers like AT&T, T-Mobile and Verizon are sales organizations, not security organizations. They sell products, services and at best a sense of security that keeps customers happy if not actually secure.
After the Timehop breach, executives called AT&T, Sprint, T-Mobile and Verizon, offering the list of compromised numbers so they could be monitored for fraud. Two accepted the list. The other two didn’t even respond.
Some large carriers apparently aren’t concerned or don’t fully understand what victims realize very quickly: The bank can’t tell whether the “Lost Password” SMS message they sent to confirm your identity actually went to someone else. To the bank, your number is synonymous with you.
There’s risk from the carriers, too. A huge number of low-level employees are encouraged and empowered to make substantive changes to people’s accounts. How confident are you that every low-wage salesperson at every Verizon shop will resist the temptation to exploit that power?
The risk associated with mobile phone numbers remains obscure partly because it is a high-impact but relatively low-frequency event. It’s easy to send 100 million phishing messages that a lot of people will notice. It takes more time and effort to make SIM swapping pay off, so criminals target individual victims.
Because SIM-swapping attacks have mainly stayed in technical journals not often read by mainstream users, most people don’t pressure the carriers to change anything. Consumers must become more proactive. Set account passwords, insert Do-Not-Port orders on accounts, and let the carriers know that this is important. Nothing short of a public outcry will force needed changes.
Read Related Story: You are not friends with Facebook and Mark Zuckerberg. You are their product.
