Introduction
After the Equifax breach and so many others, it’s best to operate under the assumption that our most sensitive information is out there somewhere in the wrong hands. It’s high time to secure our mobile phones and email addresses.
As bad as it is that our personal data can fall prey to hackers, there are typically multiple levels of validation for important transactions, and hopefully those will stop the bad guys from doing serious damage. We typically think of a bank account as the most valuable asset; in fact, many large bank transactions have safeguards against abuse, such as email or text validation.
Everything depends on your phone/email, however, and if those are weak everything is at risk. Conversely, if your phone and email are secure, even if hackers would somehow get hold of your bank, the results may not be as devastating as we would imagine.
Lock Down your Mobile Phone
First you’ll definitely want to enable a password/touch-ID on your phone. I think most people do that. In the event the phone is lost, it’ll be hard for anyone to get in there, and in the meantime you can hopefully freeze the device or the phone line.
Beyond that, there are two key vulnerabilities to the standard SMS text message:
- The porting issue (a.k.a. sim swap) where a hacker can port out your number to themselves and proceed to reset all your passwords using the SMS reset option.
- Sophisticated hackers might be able to intercept your text messages even without taking over the phone.
Not sure if there’s anything to do about the second issue, but regarding the first issue it’s important to lock down your phone’s porting feature to ensure that can’t happen. Most major carriers have some sort of PIN or passcode needed in order to port out a number. It’s also important to verify that there aren’t other ways for hackers to port without the PIN.
- Every AT&T account has a PIN/passcode of 4-8 digits which is needed to port a number. Were you to ‘forget’ your passcode you can change it in the online login by inputting the last 4 of your SSN and your zip code. So a hacker would need your ATT online credentials + SSN + zip to port your number.
- T-Mobile Milesperday did a post on this recently which inspired this post. It seems with T-Mobile that by default there is no PIN, but you can set one up. I don’t know exactly what’s needed to change the PIN, at the very least they’d need your T-Mobile password.
- Every Sprint account has a 6-10 digit PIN number which is presumably needed to port a number. They also have a security answer which can be used to reset the PIN. It’s worth making that answer difficult so that it’s not easy for a hacker to guess it. And again, you’ll want to ensure your email is secure since that’s another reset option.
- Every Verizon account has a 4 digit PIN number which is presumably needed to port a number.
Apparently, T-Mobile is the only one that doesn’t have a PIN by default. Seems like some MVNO’s also have insecure porting systems.
A crucial question still remains:Â how easy it is to switch the PINÂ using the ‘forgot PIN’ option over the phone? To do so online would require knowledge of your login password, but what about over the phone or in a store?
Some carriers might allow resetting the PIN with the billing address as this story indicates regarding Verizon It’s entirely possible they don’t allow that anymore. I looked into AT&T specifically, and was told that absent the PIN/passcode, text or email validation would be necessary to port the number over the phone or in a store. So if you don’t lose your phone and your logins are secured, it would be hard to hack. Let us know if you have information on other carriers.
Regardless, hackers usually go for the point of least resistance, and if some mobile phones don’t have PINs at all, they’ll try doing the sim swap there first. It’s also worth using a more secure login password on your carrier’s website to avoid having a porting issue with a hacked login password.
Lock Down your Email
You’ve probably heard of 2 Factor Authentication, or 2FA. Lots of online account offer a 2FA option, and it’s vital to do so on your email address at a minimum since that’s the reset link to your whole digital life. Yes, it’s a pain in the neck, especially for someone like me who juggles multiple email logins. Just realize most people don’t login into their email too often since it’s saved in the browser or phone; 2FA only kicks in when you’re logging in with a password.
There are two methods of 2 Factor Authentication:
- The standard method whereby your email provider like Gmail will send you a code via text message to input during login.
- Another option is to use an authenticator app on your mobile phone to verify during login. Google offers an Authenticator app as well as a prompt option which can be a bit easier. They also offer backup codes you can print out and save for a scenario where you don’t have your phone. Others recommend using a separate authenticator app called Authy.
In terms of convenience, the SMS option might be a bit simpler in some sense, yet from a security standpoint the authenticator options are superior since phones can be ported or intercepted. If you have your phone locked down with a PIN, as discussed above, the SMS option should be fairly secure, though there’s still the possibility of interception by a sophisticated hacker.
You’ll find many other online accounts offering a 2FA option. On my AT&T online login there’s an option to require your account PIN during login, somewhat similar to the conventional 2FA system.
Final Thoughts
Far from being a security expert, I have done a bit of research about how to protect myself, and it’s well worth looking into your own electronic vulnerabilities too. Email addresses and mobile phones are key entry points everyone needs to secure. There could be additional things you should be safeguarding as well, like your computer login or Dropbox account.
You can read many hacker stories online if you need more motivation. Check out this guy who literally watched himself get swindled out of $8,000 in cryptos. Other stories here and here.
Hopefully there’ll be some security experts who will chime in below if there are any inaccuracies in this post or other important things to know.
I just setup my T-Mobile line with PIN port authentication. The representative had me change my existing password on my account and then said that if a port is ever initiated for a voice line that I will be sent a one time PIN code to authorize that port. This effectively gives two factor authentication for a port to proceed.
Microsoft also offers an Authenticator app. As Google isn’t a company exactly focused on customer privacy and try to turn customer data into profitable information, I try to stay away from their products whenever I can.
Just an FYI from experience with 3 TMobile prepaid numbers that I ported throughout the past year: The pin is automatically set to the last 4 digits of the phone number you are assigned when you sign up. You can call and get this changed or I also believe there is an automated way?
There is not automated way: but the reps would change the pin at your request in one minute. The problem is that tmobile is notorious for being stupid: the reps would port phone number even when hackers did not have the right pins.
Security, touch-id and mobile phones can be considered as oxymoron.
One of the fundamental features of using a password is ability to change it when compromised. Using touch-id (or any other biometrics) as a security measure is unwise (if not plain stupid) because they are irrevocable. In case of touch id, it’s double “unwise” because your password stamped all over your phone. [it should be regarded SOLELY as a convenience tool, not security].
Mobile phones (or anything mobile for that matter) are inherently insecure by definition. Using them as a way to enhance anything’s security by 2-or 3-level authentication almost always will result in the opposite effect, creating more vulnerability. in other words, any account protected by a mobile phone is insecure. PERIOD.
Social Engineering can often be easily used to access your info and/or change your security measures, just by a simple phone call to your ISP or cellular provider. 2FA is a must, but we still definitely need to be vigilantly keeping an eye out for unauthorized activity. Check out this short video on just how easy it can be to change that pin or add a user via a sympathetic phone rep, even if you have that pin setup. https://www.youtube.com/watch?v=lc7scxvKQOo
good to see a “krebs on security” post here. definitely relevant.
however, for anyone who cares about this post is probably already into cyber security anyway. youre not gonna get any conversions here, but always good to try and inform the ignorant public. its a simple “dont care will always dont care and those who do, will care even more” scenario.
cyber security is a systematic change in someones lifestyle online behavior which 99% will ignore and find too troublesome. everyone LOVES to login with their instagram, snap, and facebook accounts for everything and never logout. “SAVE MY PASSWORD” and “REMEMBER ME”. SMH. people are hilarious.
anyway, good FYI post tho. but i would say this is hardly a comprehensive guide. its not just about hardening your Mobile Phone and Email. its much more than that.
This isn’t the type of page that anyone would claim an all-tech comprehensive guide, but contributions are welcome, so how about you also share some tips mr ninja dudeman? 🙂
I don’t think it’s such a drastic lifestyle change for people to implement reasonable measures and I’m aware ‘reasonable’ is a subjective term for each person, but the threats that most people face are less varied.
There’s a different hacking risk for the vast majority of us vs someone who e.g. has a high gov job or another job that entails being a target of gov intel (like journalists who cover national security) or non-gov sophisticated hacking attempts, like industrial espionage. They will necessarily implement more rigid measures, like physical keys, always end-to-end encryption etc. Can we all benefit from such measures? Sure. We can also all benefit from wearing a helmet while driving cars, but not nearly as much as people who ride bikes.
I’m not advising less secure practices, but especially in the context of people thinking ‘this is too much, I’ll just let my browser save my passwords’ and things like that, they don’t have to drastically change their digital lives to significantly improve the security of their digital lives.
And even with drastic security measures, if, say, the US gov or other similarly well-funded and sophisticated entities really wanted to get to a specific person, short of being offline there’s probably no way for them to hack-proof themselves.
well, for those who care about cyber security, they can gauge their own threat level fairly easily based on their daily behaviors and activities in life. its up to you to decide was is “reasonable”.
If you have significant investments tied to online banking or overseas institutions and use robo advisors then its critical you are protected. the number of n00bs in cryptocurrencies now is very shocking and its even worse that they dont have technical knowledge to back up their investment choices nor effectively protect themselves against a cyber threat. this is why i said the stupid will always be stupid and the smart will just get smarter. its very cliche.
i agree that its almost impossible to guarantee cyber protection from nation state attacks. fortunately, most of us are not national dignitaries with classified information.
even still, low level peons like us need to protect ourselves from “mass market” attacks where hackers scan various IP ranges and attack vulnerable routers to log into your PC at home. or shady email attachments.
your earlier post on Vice/Motherboard is good enough. you can use that as a launchpad for your intellectual curiosity and discovery of hardening your cyber life. not talking about pornhub btw. altho u can include that too. haha. anyway, i suggest you become a follower of “Krebs on Security” which is a premier resource on the shit happening in the infosec world. then develop strategies to close off attack vectors.
heres another suggestion. everything noted on Vice/Motherboard is really one sided on software. not enough on “hardware” and social engineering attacks like protecting your identity (i.e. different laptops, phones, phone numbers, legal entities, different emails for banks vs utilities, etc) even credit reports, SSN lock, Lexisnexis. up to you on how far u wanna go.
Data Point.
Got scared, called T-mobile.
They said everyone gets a default 4 digit pin which is the last 4 of their social. And they advised me for added security i could reset mine to a 6 digit pin. I did that and they sent me a text with a code to read back to them to verify ownership and then they asked me to select a 6 digit pin.
Yay. Thanks Chuck.
This is awesome. Thank you!!
It might be worth mentioning U2F as another method of 2FA. It uses hardware as the 2nd factor (USB stick). The one I use is called a Yubikey (https://www.yubico.com/) and I use it to secure my LastPass and gmail.
Can you elaborate a bit on your experience using a physical 2FA, did you use a digital 2FA (app) before, do you find it inconvenient at all to carry around and use the usb key?
FYI for those looking to get Yubico, Wired magazine is offering one for free with their subscription, which I think costs $20/year plus tax after 3 months free trial: https://subscribe.wired.com/subscribe/wired/114200#/
I don’t know how/if this differs from the ones Yubico sells directly, but saw some people recommending this online as a 2 for 1 type of deal.
the best is to just do your own research. theres way too much info to share on U2F. many websites dont support U2F. its all about how balls deep u wanna get. hardware tokens almost make crap impossible to hack because you need physical access and u combine that with software and solid state HD encryption and nobody is touching your shit even with porting.
Except when you have it with you and it is taken from you along with your devices.
It might be worth mentioning U2F as another method of 2FA. It uses hardware as the 2nd factor (USB stick). The one I use is called a Yubikey (https://www.yubico.com/) and I use it to secure my LastPass and gmail.