How to Protect Your SIM Card and Phone Number (+ Video)

MotherBoard ^ | November 23, 2017 | By Lorenzo Franceshi-Bicchierai

[Swordmaker]

Hackers are increasingly trying to take over phone numbers to target email and banking accounts. Here's how to stop them.

See the following video at the source site.

This short video and explainer is summarized from The Motherboard Guide to Not Getting Hacked, our comprehensive guide to digital security.

Your phone number is quickly becoming the key to your digital identity: your email, banking, and social media accounts are likely all linked to it. So hackers are increasingly trying to take over people’s numbers by directly hijacking their SIM cards. These kind of attacks, known as “SIM swapping” or “SIM hijacking,” allow hackers to take over your cellphone number, and in turn anything that’s connected to it.

The way these attacks work is hackers call up your cellphone provider and trick them into thinking they are you—a method known as “social engineering”—in order to get a new SIM card linked to your account.

These attacks can be prevented, or at least made much harder, by setting up a phone password. This is essentially a unique password or phrase that you are required to provide when you call your provider’s customers’ support. Most US carriers now offer this option. Motherboard confirmed that Sprint, T-Mobile, Verizon and U.S. Cellular all give customers this option. Verizon and U.S. Cellular have made this mandatory, according to their spokespeople. Call your provider and ask them to set this up for you.

This will make it extremely hard for the bad guys to steal your number.

[wally_bert]

My wife’s CC was used to buy a go pro that was shipped to the home address.

Within a day of it’s arrival and for a few days later, FedEx was sent to pick it up to take it to some bogus place in Miami.

I called FedEx and they seemed unconcerned about how many times a truck was being sent for nothing.

The camera was returned and damage handled.

[4yearlurker]

IF I buy on Ebay or Amazon I always use a gift card. No personal info needed.

[sauropod]

do this.

[xrmusn]

I called FedEx and they seemed unconcerned about how many times a truck was being sent for nothing.
= = = = = = = = = = = = = = = =
I was contracting out to a Delivery Service that was doing ‘FedEx’ Same Day, which at the time really wasn’t advertised as FedEx was charging about 10 bucks for most anywhere in the country and FESD was paying ME about 1.20 a mile and FE had to pay whoever was hiring me.

I have made standard pickups for FedEx on misroutes and I would pick up something in VA take to airport and fly to wherever and more often than not I drove it at my regular rate.

So FedEx would end up pay a few hundred bucks for a misroute that was paid for at regular rate.

When FE started ‘buying up’ trucking companies, I would basically be delivering some for FedEx that was actually from FedEx to FedEx, paying me and my ‘boss’ in the interim.

AND they still make money....

This small package delivery got so ‘bad’ I am virtually getting paid less today than I was 20 years ago.

Then again when your ‘major’ shippers buy up most of the competition they can get away with that.

There is also a ‘thriving business’ at airports for delivering ‘lost luggage’.

Used to be for that all you would need was decent transportation and the WILL TO WORK and one could make a good living, though the hours etc were kind of ‘iffy’.

[Wuli]

Never ever answer your phone, cell or landline, when the caller # or caller ID shown says it is you.

Such calls are made using VOIP - voice over internet protocol - the kind of calls you can make with applications like Skype and Magic Jack devices. Experienced techies using VOIP methods are EASILY able to make it so the caller sees the incoming call as from whatever number in the world the person making the call wants them to see.

There is no doubt that even many of the political and advertising robo calls you get do not really come from the area codes and phone numbers those calls are identified with. Even more and more of those outfits are trying to mask where they are really located.

[RushIsMyTeddyBear]

Bump.

[bgill]

Lifelock is the holy grail for hackers. Just wait until they break into that.

[aMorePerfectUnion]

You may be right, but Equifax had more data than LifeLock has.

Is there a class action suit against Equifax yet?

[taxcontrol]

I am a professional hacker. In other words, I get paid, usually by banks, to try and break into their IT systems. Home WiFi, cell WiFi and cell Bluetooth are BY FAR, the easiest vector for a targeted attack.

Having said that, the easiest way to protect yourself from an external cell hack is - turn off WiFi and Bluetooth when you are not using them!

[conservatism_IS_compassion]

I was home! Met the ups guy in the driveway! . . . That means the thief is a neighbor then.

Not that likely a near neighbor; they will have tracked the delivery with a view showing up to pick up the package shortly after its delivery. Likely they may have been skulking nearby when the delivery occurred.

[jiggyboy]

Never ever answer your phone, cell or landline, when the caller # or caller ID shown says it is you.

I pick up and pretend that the call must be me calling myself from the future. Ask the Indian at the other end where and when we will meet, do we work together, etc. They're baffled for quite some time.

[AllAmericanGirl44]

Bkmk

[House Atreides]

“...Is there a class action suit against Equifax yet?”
****************************************
If there is and it is successful (or settled, the most likely outcome) the plaintiff attorneys will be paid several hundred millions of dollars. And affected consumers will be mailed 2 “forever” stamps IF they take the trouble to file their claim online.

Of course, the victorious trial lawyers will, as expected, donate several million dollars to the ‘RAT political groups who protect the class action “racket”.

[conservatism_IS_compassion]

The issue, surely, is that keeping track of identities is the legitimate function, first, of the state and federal (birth certificates and driver’s licenses being state, passports being federal) governments. The government has to know who is and who is not a person of interest, a fugitive, etc.

Keeping track of identities is also, most routinely, a necessary and legitimate function of any bank. And also, comes to that, a brokerage account.

Now all of a sudden we have the credit card issue, and online financial transactions. And Apple ID, and email addresses.

It seems like the banks should have the function of verifying id locally. If I present at the bank, the bank should be able to verify my ID and certify it to any other user such as any credit card company. And there is a legit function for a LifeLock - but inherently, the database which Lifelock generates is the richest of targets for hackers. And I take it you register with LifeLock without presenting physically to a LifeLock employee to be vetted, suggesting the possibility that the ideal way to steal an identity completely is to get a Lifelock account in the name of that identity.

[PA Engineer]

I was also contacted by eBay today. My account had been frozen because of the same problem.

[Maskot]

eBay did not contact us. We called them to report fraud. Funny thing was the orders did not appear anywhere on the legit account (ours). We got emails that said they were from eBay confirming the orders and ups tracking numbers. eBay brushed it aside. They did not care. All they wanted was for us to forward those emails to spoof@ebay.com. I wrote the tracking numbers down and went to the ups website and sure enough, they were real tracking numbers. Got delivery status info, time the packages were to arrive etc. And arrive they did! A refurb computer and a Russian guitar.

[generally]

>> I got a phone call today which said it was from ME, using my own phone number. When I answered, a voice saying it was from AT&T announced that my phone account was “being flagged for security purposes” and then asked “Please provide us with the last four digits of your social security number.” I said “Like HELL I will!”
Whoever it was then hung up.

I immediately called 611 on my iPhone and waited six or so minutes to talk to someone at AT&T. They informed me, as I suspected, they NEVER call using the customer’s phone number, and will NEVER ask for any portion of the customer’s SSN. They only call from an AT&T number which is obvious on an AT&T device. It was a scammer phishing for my SSN and other identifying information.

---

EXACT same thing happened to me. I took the EXACT same steps.

If the FBI can spare some time from the Trump-Russia investigation, I’d love for them to put some effort into ending these scams.

Best FReegards,
g

[zeugma]

It is amazing how much stuff is now linked to your phone and email. When my wife passed a couple of years ago, I already had most of the information I needed to get all the various accounts and stuff, but some stuff caught be by surprise. Getting passwords to various websites that she had connected to her phone were easy, as you pretty much just had them send reset codes either to the phone, or her email accounts. One of the things that I did actually end up having issues with was the pin code discussed in the article with the phone company. I didn't know it. It took a bit of wrestling with them to get it reset.

What they are talking about here can be pretty devastating. If someone can hijack your phone number, they can probably get access to your email, and given both of those things, they can essentially do anything.

[The Westerner]

Great thread Sword. Since Verizon Wireless bought my cell carrier many years ago, they’ve asked for a password when telephoning them. They used to have the best customer service by dialing 611. Nowadays, they want customers to go online and sort through not so obvious screen interfaces. Sigh. Another example of complicating what was once simple.