Starting with a scenario, let us assume you are already a victim of hackers. Your mobile phone number has been hijacked by social engineers who targeted your Mobile Carrier’s customer service staff. They steal and use your number to then gain access to other online accounts that are associated with your number by: phone-based authentication, account recovery (example: Email). Then using that access the hackers will compromise other accounts, harass, steal and blackmail/extort your contacts and associates.
We need to break ourselves of the idea that a phone number is somehow representative of one’s identity and make a good authentication tool. The reality is that the security practices of the Cellular/Telco industry have not yet caught up to modern day threats. Only two pieces of basic information are required for a hacker to steal your mobile phone number: an account number and a PIN code. That’s it. Below is a sample interaction with a Telco carrier to display social engineering.
Hacker: I need to know some information on my account related to an open ticket.
Telco Rep: Of course, can I have your ticket number?
Hacker: I lost this information. Sorry. Here is my phone number.
Telco Rep: Do you know what the ticket was regarding?
Hacker: I had billing issues, please just tell me the info I need. I am upset now and want to cancel my service! The info is right in front of you and you are wasting my time.
Telco Rep: I am sorry sir, here is the info for your account. I hope I helped resolve your problems today. Please make sure to rate the call today in a brief survey when the call ends. Can I help you with anything else or have I resolved your question?
Hacker: All set…thanks.
So how does one secure a Mobile Phone number and Telco Account? Here are some suggestions from professional security analysts:
- Call your Telco and set a Passcode/PIN on your account.
- Make sure it applies to ANY account change.
- Make sure it applies to all phone numbers on the account.
- Ask your Telco what happens if you forget your passcode?
- Add a HIGH-RISK flag to the account, so any account activity will be scrutinized.
- Close your online web-based management account from the Telco.
- Block Future registration to the online management system.
- Secure the email address associated with the Telco account.
- Create a NEW email address that you only use with this Telco.
- Make sure this new email account is VERY secure; send any passcode bypass instructions from the Telco here.
That said, for most people, we can safely assume a telephone number is not a great tool to prove our digital identity securely. What other options exist to secure our digital identities?
Two-Factor Authentication (2FA), a.k.a. Multi-Factor Authentication (MFA) methods are more secure. Google Authenticator, Microsoft Authenticator or Yubikey are good examples.
One should only use SMS/Text for security when necessary and consider if you want this setup at all relating to account recovery or password reset options.[/vc_column_text][/vc_column][/vc_row]