Cybercriminals are increasingly targeting people’s phone numbers, hijacking and then using them to access people’s bank or social media accounts.
Image: Brian A Jackson/Shutterstock
**If you're looking for ways to protect yourself from SIM hijacking and other hacks, read The Motherboard Guide to Not Getting Hacked**
If you’re a customer of T-Mobile in the United States, you may have recently gotten a somewhat alarming, and perhaps confusing, text message.
This is a legitimate, real T-Mobile alert, the company confirmed to Motherboard on Monday. A company representative said T-Mobile is messaging its “entire post-paid customer base,” but some customers may have yet to receive the alert as “that takes time and can’t be done all at once.”
“Phone number port out scam” is an obscure term, but it refers to a relatively simple, highly effective and dangerous hack. The scammer calls T-Mobile (or another cell phone provider), or goes to a store, and impersonates the target victim, requesting a new SIM card for the victim’s phone number. The same process works also by “porting” the phone number to another provider, giving the attacker access to the victim’s phone number.
This type of attack has also been called “SIM hijacking.”
Once the provider issues the new SIM, the scammer can take over the victim’s phone number and then move on to other targets that are linked to it, such as social media or banking accounts. Once the hacker has control of the phone, they can use it to reset the bank password by asking the bank to send a reset link via text, for example.
“Today I lived a nightmare. My phone all of the sudden stopped working. I tried to contact T-Mobile through Twitter—no phone right?—It took them an hour to let me know that someone must have transferred my number to another carrier and they asked me to call my bank to let them know,” a victim told me in a recent email they sent after seeing our previous coverage on similar attacks.
“I immediately log in on my bank account and voila! $2,000 were gone,” he added.
This kind of attack or scam is exactly what Richard De Vere, an independent security consultant, demonstrated in 2016. Similar attacks have been going on in the US at least since last summer, when hackers were taking advantage of a nasty bug in T-Mobile’s website, which allowed them to access other people’s account data, helping them be more convincing when impersonating the victims with T-Mobile support staff.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
As T-Mobile says on its website set up to answer customers’ questions about these attacks, “fraudsters are attempting to compromise personal bank accounts by taking over and transferring phone numbers from one wireless provider to another.” But it works even without porting numbers to another company, as we reported last year.
These scams have become more and more common by the day, and providers might not be doing enough to protect you.
“Telecom operators have had thousands of cases of SIM swap fraud affect customers over the years,” De Vere told me in an online chat. “It’s a bigger problem they are hiding.”
Your phone number is increasingly becoming the key to your whole digital identity. As we explained in our guide to not getting hacked, you need to take some simple steps to protect it.
Read more: The Motherboard Guide to Not Getting Hacked
To reduce the risk of this happening to you if you're a T-Mobile customer, call 611 from your cellphone or 1-800-937-8997 and tell a support staffer that you want to create a “port validation” passcode. This is also called a phone passcode or PIN, depending on your provider (most US providers offer this feature now).
This should be unique, different than your password for your cell phone provider’s website (such as https://my.t-mobile.com/ or https://www.verizonwireless.com/my-verizon/, and you should keep it a safe place, such as your password manager.
You will have to provide that passcode or PIN if you request a new SIM or change providers, preventing others from impersonating you.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.