There’s a gaping hole in the protection of your digital accounts. And it exists even if you’ve taken the basic steps of a password manager and enabled two-factor authentication. Nope, it’s not even your bank login. It’s your cell phone carrier. This is due to number porting, that cool feature that allows you to seamlessly switch carriers. And it’s because of number porting, that cool feature that lets you switch carriers.
Here’s how it works. A hacker obtains your basic info (name, social, birthday, address) and impersonates you by calling a customer service rep at your cell phone carrier. They ask to port your number over to a different phone number (the equivalent of changing carriers via number porting). Once they’ve appropriated access to your phone number, they then go around to all the major web services and click “reset my password” which then sends the new code to your cellphone number (which they now control). Then rinse and repeat – bank accounts, Paypal, Venmo – pretty much anything in the cloud.
And though it isn’t easy to port the number, it’s definitely inadequate to have a human support rep as the weakest link.
Three steps to protect yourself
Here’s where I disclaim – I’m nothing close to a cybersecurity expert. These tips are the result of following blog/twitter conversations and some basic, intuitive common sense.
1. Secure your cell phone
Make sure the password, unique pin, and security codes are long, secure, and unique. It turns out that I had treated my own account like any other utility (i.e. a gas bill) where I should have been treating it like my most valuable financial account.
2. Call your carrier and set up “a port freeze”
From the Coinbase blog (and they know a thing or two about hackers):
Call your cell phone provider and set up a PIN or password, ask for a port freeze and ask to lock your account to your current SIM. Not all providers will do all of those things. If yours won’t, consider changing to one that will.
It took two attempts to do this with my carrier, it’s definitely not one of their common requests.
3. Update your 2-factor authentication away from SMS
Many accounts let you use a non-SMS based authentication, with Google Authenticator being the most popular. This helps sever the links between your cell phone number and your accounts.
4. Disable SMS-password recovery on your email accounts
Once again, this severs the link between your phone and your email account. Go to your:
Google account settings -> Sign in & Security -> Recovery phone
Make sure you repeat this on all dormant/inactive accounts, as there may be a daisy chain interconnecting them. (And if you want even more security, I have friends taking this approach!)
And there you have it. This is by no means comprehensive, but adds additional layers of security to your accounts.