The Security of Your Cellphone Number is More Important Than You Think
You might think that your Social Security number or bank account numbers are the most sensitive numbers you have. Wrong. Think Again.
On almost every website where you have an account, if you forget your password the website will offer to send a ‘password recovery code’ to your phone. Given this code, you can get back into your account. If a hacker gains possession of your phone he can do the same – He can gain access to almost every facet of your online life. This is probably the most common form of cybercrime today.
And he doesn’t have to steal your actual phone. All he has to do is to move your phone number into his phone. (The technical term is ‘port out’ your number.) And that is surprisingly easy. Disclaimer: I consider myself an expert at keeping your website secure. Until a few days ago I was completely ignorant in the field of telephone security. I want to share my experience and give you some advice on keeping hackers from taking over your life.
Your phone number is everywhere. Mine is on my business cards. It’s on my website. It’s easy to determine who your wireless carrier is (There are websites for that specific purpose). It’s also easy for a hacker to gather enough personal information about you to impersonate you over the phone and convince a wireless carrier’s customer support rep to port out your number.
Your first clue is that your phone has stopped working. Then the adventure begins. They start trying to use the password recovery at common websites hoping you have an account there.
The Wireless Carriers Are Coping, But Not Well
Recently, the wireless carriers have started offering to set up a PIN number for your account. (Some carriers call it a ‘Passcode’ or ‘Secondary Password’) Theoretically, Customer Service will not make any changes to your account unless you provide that code.
My personal experience is that this PIN is just security theatre. I called my carrier’s technical support number and when prompted for the PIN, I entered the wrong value. After 3 failed attempts the voice-response system said “To create a new PIN, press 1”. I found that it’s also too easy to talk the helpful Customer Service Rep to assign a new PIN to your account.
Three Things You Should Do
First, some carriers can set the security level of your account so high that no changes can be made online or over the phone. You must physically go to the carrier’s retail store and present two forms of ID in order to make any changes. If you carrier offers this option (I know AT&T does) then do it. This will stop the hacker cold.
Second, my advice is to buy a ‘burner phone’. Go into Walmart or Target and buy a prepaid cellphone that is refillable. Don’t give the phone number out. Don’t put it on your website or your business cards. You are going to use this phone for one purpose: As the ‘Password Recovery’ phone number on all the websites where you have an account.
When you use the ‘lost password’ function on a website, it will display something like:
“We will send the password recovery phone: XXX-XXX-XX56” (displaying only a few of the actual digits).
The hacker, seeing this, cannot get into your website.
2-Factor Authentication
Third, most large websites (like Amazon and Facebook) offer ‘2-Factor Authentication’ (2FA) to help you make your account more secure. The best websites leverage an app like Google Authenticator ( which you can download from the Apple App Store and install on your iPhone at no charge.
Once you’ve turned this feature on, and done the initial handshake between the website and your iPhone, at login you will be prompted for a six-digit code in addition to your username and password. You bring up the Google Authenticator app, read the six digit code (which changes every minute) and enter it into the website’s field. Bam you’ve stopped the hacker cold even if he knows your password.
I have 2FA installed on all of my websites. I do my best to convince my clients to let me install it on their websites as well. You should too.
NOTE: From a technical perspective, 2FA is very effective. Keep in mind however that determined, experienced hacker is very good at ‘social engineering’. He will possess enough information about you to convince/charm a Customer Service Rep over the phone to disable @FA on your account (“I was out on the lake yesterday and I dropped my phone in the water. Can you turn off 2FA so I can set up my new phone?”) So far, I’ve had pretty good luck asking support organizations to add the following note to my accounts:
All requests to disable or change 2FA must be made in writing and be accompanied by a notarized copy of my driver’s license