Cell phone number hijacking

23
August

A client recently read this NY Times article and was concerned on how it would affect them.   I would like to share my response to this.

Dear xxxxx;

This is something that you and I do not have control over but something that the phone companies need to be smarter at.   The problem is that your phone number is used by many services to validate your account.  For instance,  if you were to go to y our schwab account and click on  “forgot password” , they will send a reset code to  your cell phone.     IF someone took your phone, then they could use that same “forgot password” link to get a reset code and then access to your account.       The phone companies clearly need to have a better policy and I would hope this article was a wake up call to them.   Since this was a NY Times article,  I trust that it was read by managers of the various carriers.     That last part of the article shows the lack of training of the agents.

 

There may be a workaround though.   I need to research,  ( time constrained ,  ugh)  Google Voice will setup a phone number  and you can have it forward to anything,.   If you registered all online accounts to google voice phone number, then have google voice forward the texts to your email, then you may be able to  protect yourself from just such an hack.

snippet from the article below..

Adam Pokornicky, a managing partner at Cryptochain Capital, asked Verizon to put extra security measures on his account after he learned that an attacker had called in 13 times trying to move his number to a new phone.

But just a day later, he said, the attacker persuaded a different Verizon agent to change Pokornicky’s number without requiring the new PIN.

A spokesman for Verizon, Richard Young, said that the company could not comment on specific cases, but that phone porting was not common.

“While we work diligently to ensure customer accounts remain secure, on occasion there are instances where automated processes or human performance falls short,” he said. “We strive to correct these issues quickly and look for additional ways to improve security.”

Perklin and other people who have investigated recent hacks said the assailants generally succeeded by delivering sob stories about an emergency that required the phone number to be moved to a new device — and by trying multiple times until a gullible agent was found.

“These guys will sit and call 600 times before they get through and get an agent on the line that’s an idiot,” Weeks said.