I’ve been hearing/reading more about SIM swaps, where a hacker takes over your phone by switching out your SIM card. It sounds like they can get your phone info without even having your actual phone! Scary stuff.
So now I’m looking for ways to best protect my phone/myself from this.
Of course I have a lock code, and I’ve deleted old/unused apps.
I’m also checking out my carriers (US Mobile, Tello) to see their security process in switching out my phone info.
Has anyone here experienced a SIM swap, or know someone who has?
Any advice?
Thanks!
Like many things technology reported by mainstream media, in my opinion, the threat is overhyped. That’s not to say SIM swaps don’t happen.
While SIM swapping doesn’t require access to one’s phone, it does require access to one’s account. So, you’ll want to secure that as best you can.
I use randomly generated passwords and a password manager. The password manager I use is Bitwarden. I never use the same password on multiple websites.
Beyond strong randomly generated passwords, I take advantage of multi-factor authentication (MFA) where available. MFA is most secure when using a hardware token (such as a YubiKey) or token app (like Authy or Google Authenticator). Far too many who offer MFA rely on SMS; which itself was never designed to be secure but if that’s the only form of MFA offered, I’ll use it together with a strong randomly generated password.
While it’s reasonably easy to lock down online account access, what cannot be so easily secured is the use of social engineering to gain access to someone else’s account. In other words, one could call in pretending to be a customer and fool the agent assisting into believing one is the legitimate account owner. Most one off SIM swaps are likely the result of social engineering. It’s among the reasons a capable reasonably well trained support staff is important to me.
Specific to Tello; though they do not currently offer MFA, Tello does use a four-digit security PIN when calling in. That security PIN was created when you set up your Tello account. If you’ve forgotten it, you may reset it while signed into Tello’s account portal. It cannot be done from the app. It’s also my understanding that Tello support staff will not provide port out information. Port out information must be obtained from Tello’s portal. An unauthorized port is the most common way a hacker would take control of one’s phone number.
I haven’t personally experienced having my number stolen, but I’ve been a part of the team that works to recover those stolen numbers.
This is huge. Once your username and password combination is hacked on any site, that information is used to test for accounts all over the internet, and groups of hackers will buy the information from other hackers. While it’s a pain to keep up with separate passwords for all your accounts, its a lot more of a pain to try to undo the damage once a re-used username/password combination gets out.
You may think you have a fabulous, highly-secure password on your bank account, but if your cell phone account credentials aren’t just as secure, and if a criminal gets into your cell phone account and ports your number to their phone, it just takes them a few more minutes to get into your bank account. If you ever notice your phone service seems to have been unexpectedly terminated, you may want to get in touch with your bank(s) and freeze your accounts immediately, even before you start working through the process of getting your number back.