How phone number two-factor authentication fails
Doing a cut and paste here of how people are bypassing two factor authentication via social engineering that Next Advisor’s PR sent over. We’ve discussed a bit of two factor authentication and how easy it is to set up and adds a layer of protection to your accounts, well, people figured out how to remove said layer and here’s how they’re doing it.
Cut and pasted piece below, reformatted slightly because it looked weird going from Word to WordPress.
Phone Porting: How Hackers Can Hijack Your Mobile Phone Number
by Gabriel Wood with NextAdvisor.com
When defending ourselves from hackers, most of us put a lot of thought into making sure our computers are secure. However, there’s another piece of technology that’s just as vulnerable to attack: your cell phone. As we’ve discussed before, mobile phone-related identity theft has been steadily increasing in recent years. Between 2013 and 2016, reports to the Federal Trade Commission of identity theft via mobile phone hijacking more than doubled. We’re increasingly relying on our mobile devices to pay for goods and provide security, and hackers have found a way to take advantage of that through an attack called phone porting (also known as SIM swapping). To find out how phone porting works, and the options you have to defend yourself from it, continue below.
How phone porting works
Phone porting exploits how easy it is to find someone’s phone number, as most people don’t consider their phone numbers information they need to keep private. In a phone porting attack, a hacker uses your mobile number and your name to take over your mobile account. They do this by talking to your mobile carrier while impersonating you, either over the phone or in a store, and asking it to port your number to a new service or device. Normally the carrier will ask some security questions based on your personal information, such as your date of birth, address or the last 4 digits of your social security number, which the hacker may be able to answer if they have acquired that information via phishing, mail theft, purchasing it online or just following your social media pages. The hacker may not even need that information, though, if they can use social engineering to convince the phone carrier’s customer service representative to skip over those security steps with a sob story. If the hacker gets a representative who won’t do that, they can just keep trying over and over until they get one who will.
What can attackers do with this information?
The biggest vulnerability a phone porting attack can open up is the ability to reset your passwords and bypass the two-factor authentication via SMS on your accounts. With your mobile number ported to their own device, a hacker can receive text messages sent to you containing security confirmations, letting them access a multitude of accounts including but not limited to Google, iCloud, Facebook, Dropbox and Paypal with only your username. This is especially dangerous for people who own cryptocurrency, as digital wallets are often protected with two-factor authentication via SMS. Gaining even temporary access to your cryptocurrency wallet can allow a hacker to empty it, with no way to reverse the transfer.
A hacker who takes control of your mobile account in a store can also make charges to your account, most notably for new devices. While most mobile phone retailers normally verify the account holder’s identity using security questions or by checking a photo ID, not every store or employee follows through with that, and some criminals might even go so far as to create fake IDs using your information to boost their scheme.
How you can protect yourself
Mobile carriers are required by the FTC to have internal policies for detecting and preventing identity theft. Many mobile carriers, including the four largest in the U.S., will let you set a password on your account, so anyone who calls to make changes will have to provide the password first. That may not be enough, though, as what makes phone porting attacks so difficult to stop is that they take advantage of the human errors made by mobile carrier employees. For an added layer of protection, consider getting a virtual phone number or VoIP plan and give out that number instead. You can set up either of those services to forward calls and texts to your mobile device, letting you keep an open line of communication without risking your number.
You should also be on the lookout for the warning signs of a phone porting attack. Suddenly losing all service can indicate that a hacker has transferred your phone number to a new device, and receiving unexpected texts of authentication codes could mean someone is trying to breach your online accounts at that moment. In both cases, you should immediately notify your mobile carrier, financial institutions and any companies that sent you authentication codes in order to mitigate the damage as much as possible. If any of them confirm that a hacker attempted to port your phone number or gain access to your accounts, reporting the attempt to the FTC, local police and credit bureaus will help you fix any problems that may occur due to identity theft in the future.
Sometimes it can feel like your security and identity are under siege from every possible direction, which is why we’re committed to finding the threats you need to watch out for. To learn more about how to protect your identity from hackers, follow our identity theft protection blog.
About the author: Gabriel Wood
Gabriel Wood is a personal finance and technology writer for NextAdvisor.com, covering personal and small business loans, VoIP, and Internet fax services. He is a graduate of American University in Washington D.C., and currently lives in Oakland. Follow him on Twitter @GabrielAdvisor.