Introduction
After the Equifax breach and so many others, it’s best to operate under the assumption that our most sensitive information is out there somewhere in the wrong hands. It’s high time to secure our mobile phones and email addresses.
As bad as it is that our personal data can fall prey to hackers, there are typically multiple levels of validation for important transactions, and hopefully those will stop the bad guys from doing serious damage. We typically think of a bank account as the most valuable asset; in fact, many large bank transactions have safeguards against abuse, such as email or text validation.
Everything depends on your phone/email, however, and if those are weak everything is at risk. Conversely, if your phone and email are secure, even if hackers would somehow get hold of your bank, the results may not be as devastating as we would imagine.
Lock Down your Mobile Phone
First you’ll definitely want to enable a password/touch-ID on your phone. I think most people do that. In the event the phone is lost, it’ll be hard for anyone to get in there, and in the meantime you can hopefully freeze the device or the phone line.
Beyond that, there are two key vulnerabilities to the standard SMS text message:
- The porting issue (a.k.a. sim swap) where a hacker can port out your number to themselves and proceed to reset all your passwords using the SMS reset option.
- Sophisticated hackers might be able to intercept your text messages even without taking over the phone.
Not sure if there’s anything to do about the second issue, but regarding the first issue it’s important to lock down your phone’s porting feature to ensure that can’t happen. Most major carriers have some sort of PIN or passcode needed in order to port out a number. It’s also important to verify that there aren’t other ways for hackers to port without the PIN.
- Every AT&T account has a PIN/passcode of 4-8 digits which is needed to port a number. Were you to ‘forget’ your passcode you can change it in the online login by inputting the last 4 of your SSN and your zip code. So a hacker would need your ATT online credentials + SSN + zip to port your number.
- T-Mobile Milesperday did a post on this recently which inspired this post. It seems with T-Mobile that by default there is no PIN, but you can set one up. I don’t know exactly what’s needed to change the PIN, at the very least they’d need your T-Mobile password.
- Every Sprint account has a 6-10 digit PIN number which is presumably needed to port a number. They also have a security answer which can be used to reset the PIN. It’s worth making that answer difficult so that it’s not easy for a hacker to guess it. And again, you’ll want to ensure your email is secure since that’s another reset option.
- Every Verizon account has a 4 digit PIN number which is presumably needed to port a number.
Apparently, T-Mobile is the only one that doesn’t have a PIN by default. Seems like some MVNO’s also have insecure porting systems.
A crucial question still remains:Â how easy it is to switch the PINÂ using the ‘forgot PIN’ option over the phone? To do so online would require knowledge of your login password, but what about over the phone or in a store?
Some carriers might allow resetting the PIN with the billing address as this story indicates regarding Verizon It’s entirely possible they don’t allow that anymore. I looked into AT&T specifically, and was told that absent the PIN/passcode, text or email validation would be necessary to port the number over the phone or in a store. So if you don’t lose your phone and your logins are secured, it would be hard to hack. Let us know if you have information on other carriers.
Regardless, hackers usually go for the point of least resistance, and if some mobile phones don’t have PINs at all, they’ll try doing the sim swap there first. It’s also worth using a more secure login password on your carrier’s website to avoid having a porting issue with a hacked login password.
Lock Down your Email
You’ve probably heard of 2 Factor Authentication, or 2FA. Lots of online account offer a 2FA option, and it’s vital to do so on your email address at a minimum since that’s the reset link to your whole digital life. Yes, it’s a pain in the neck, especially for someone like me who juggles multiple email logins. Just realize most people don’t login into their email too often since it’s saved in the browser or phone; 2FA only kicks in when you’re logging in with a password.
There are two methods of 2 Factor Authentication:
- The standard method whereby your email provider like Gmail will send you a code via text message to input during login.
- Another option is to use an authenticator app on your mobile phone to verify during login. Google offers an Authenticator app as well as a prompt option which can be a bit easier. They also offer backup codes you can print out and save for a scenario where you don’t have your phone. Others recommend using a separate authenticator app called Authy.
In terms of convenience, the SMS option might be a bit simpler in some sense, yet from a security standpoint the authenticator options are superior since phones can be ported or intercepted. If you have your phone locked down with a PIN, as discussed above, the SMS option should be fairly secure, though there’s still the possibility of interception by a sophisticated hacker.
You’ll find many other online accounts offering a 2FA option. On my AT&T online login there’s an option to require your account PIN during login, somewhat similar to the conventional 2FA system.
Final Thoughts
Far from being a security expert, I have done a bit of research about how to protect myself, and it’s well worth looking into your own electronic vulnerabilities too. Email addresses and mobile phones are key entry points everyone needs to secure. There could be additional things you should be safeguarding as well, like your computer login or Dropbox account.
You can read many hacker stories online if you need more motivation. Check out this guy who literally watched himself get swindled out of $8,000 in cryptos. Other stories here and here.
Hopefully there’ll be some security experts who will chime in below if there are any inaccuracies in this post or other important things to know.
