Our mobile phone numbers today have become our unique identifiers, even more so than our full names. While you’ve probably run across at least one other person who shares your name, our mobile numbers are guaranteed to be globally unique. And since we can port these numbers to any service, we tend to keep these numbers for life. Our mobile phone numbers now are almost like Social Security numbers.
Unlike Social Security numbers, however, we give out our phone numbers without thinking about it. Mobile numbers are not just used as contact information anymore. We use them as identifiers for messaging apps, store loyalty cards, and two-factor authentication. (Facebook recently exposed 419 million users’ phone numbers online.)
Keys to the Kingdom
A recent article from the NY Times explains why we need to start being a lot more careful about how we give out our mobile numbers. A researcher showed the author how his cell phone number allowed him to pull up all sorts of information about him online for as little as $5. This included current and past addresses, full names of family members, property info including square footage, and more.
We now use our phones to authorize financial transactions, reset passwords, and as a second factor authentication mechanism. While there are some very secure apps for this purpose, many companies still use text messages, or SMS. Short Message Service is very old and was never meant to be secure. Text messages can be intercepted fairly easily by cell site simulators called IMSI Catchers (aka “Sting Rays”). While initially a highly secret law enforcement tool, but you can actually build your own for about $20.
But the hack that you should be most worried about is SIM swapping. A Subscriber Identity Module, or SIM card, is the little chip in your cell phone that ties the device to your cellular number. If you take that card out and put it in another phone, that phone will now get all your phone calls and text messages. And if you lose your phone, you can go to your cellular provider and get a new SIM card for your account. When you put that SIM card in a new phone, that phone will get your calls and texts.
However… if someone else can manage to get a new SIM card on your behalf, they can essentially clone your phone. This is called SIM swapping (or “SIM jacking”). With a cloned phone, hackers and thieves can now receive your security PIN codes. They can also impersonate you to friends and other businesses you deal with. This can leads to a compromise of just about any online account, including email, social media and financial accounts. Twitter’s CEO, Jack Dorsey, recently had his own account hacked using this technique. Reversing the damage in situations like this can be very difficult.
Put a PIN On It
So what can you do? Actually, not as much as you’d hope. Minimum wage workers in a phone store have access to your account and the tools necessary to clone a SIM card. If they can be fooled by an impersonator or simply paid off, they can clone your phone.
However, most major carriers have some sort of extra PIN or password you can add to your account which (in theory) should prevent a SIM swap. If you haven’t done this yet, I recommend calling your cellular provider and setting this up. This article has more info, including details for each of the four major US carriers.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!