With just your phone number and a little bit of what’s called “social engineering” in which a hacker doesn’t necessarily need technical knowledge but just to convince a customer service rep that they are you, a maliciously intentioned person can break into all the above accounts and more.
And they have been doing just that, stealing money, blackmailing people with sensitive information, taking over social media and embarrassing their targets, or getting access to private documents such as tax returns and passport numbers.
It starts by getting some readily available information about you like maybe address, number, birthday or last four of your Social Security Number and giving some combination of them and a plausible story to a telco customer service rep who then lets them into your account where they then proceed to have your phone number forwarded to their phone or “ported” to another carrier and the hacker’s device.
Then the phone hijacker simply goes to, say, your Gmail or your online bank account, tries to log in as you but clicks “forgot the password” and resets the password by getting a code texted to your phone number, which is now directing all its messages to their device. Then they are in your account — and you are locked out.
In an article yesterday, I described the many ways that hackers have done this in recent months to holders of cryptocurrencies like bitcoin and Ether, but this crime can be perpetrated on anyone who uses the most ubiquitous web services — Gmail, iCloud, Facebook, online banking, PayPal, Dropbox and many others.
As you can read in the story, the telcos are behind the curve in procedures on preventing phone hijackings, so you’ll have to take your own measures to protect your phone number from the grubby hands of phone hijackers.
Additionally, a wide range of companies from financial institutions to email providers use this passcode-by-text security method, which has known weaknesses. Called two-factor authentication via SMS, it requires a password, which in authentication theory is one factor — something you know — and sends a code to you via text message, with the phone being a second factor — something you have. You enter the code and gain access to your account.
But when used for password recovery and reset, they don’t even need to enter the first factor to have the codes sent to them. With just one factor (the code), they create a new password for themselves, and now can do whatever they like with your account.
The fact that your phone number is used for security but the telcos are not safeguarding them has created the perfect opportunity for hackers, who have so far made off with millions of dollars’ worth of cryptocurrency. But they could just as easily perpetrate these crimes against anyone with a cellphone who uses any of the above services.
Here’s how to protect your phone number and your web accounts for your email, online financial institutions and more.
How To Keep Your Phone Number From Being Hijacked
1. Institute a passcode on the account.
This is the most basic precaution. However, as several hijacking victims discovered, if the hacker finds a customer service rep who forgets to ask for it or lets other information such as address and last four of your Social suffice, then your number can be hijacked anyway. So, add a passcode to your account, but don’t rest easy after that. It helps but if the hacker talks to an unwitting customer service rep, game over.
2. Use a mobile-carrier-specific email address to access that account.
Up till now, most likely, your phone number and your email address have been the gateway to all your other accounts. You need to stop that right now. If you follow several of the steps I outline in this story (unless you go with Google Voice), you’ll end up with at least three email addresses: your current primary one, one just for your mobile carrier, and one that you use for other sensitive accounts such as online banking or Facebook or Dropbox. That way if your primary email address gets compromised, it can’t be used to steal your phone number (and vice versa). And if your phone number gets compromised somehow, it won’t endanger your email or any of the other sensitive accounts.
However, if any of these non-phone/email accounts has a higher threat level (one of the victims watched his hacker search in his Dropbox folders for files containing the names of executives who managed the bank accounts at his former company), then you probably want to create a separate account for that as well so that if the email address you use for multiple sensitive accounts is ever breached, that one won’t be as well.
If you port your main number to Google Voice, you should still separate your main email address from that used for your other sensitive accounts so if your primary email account is compromised, hackers can’t get into your other accounts.
3. Disable online access to your wireless account.
Yes, this is annoying, as you’ll now have to go into the store or call to make changes but it is one less way in which a hijacker can hack your account.
4. Tell your carrier you’d like to require that changes to your account can be made only in person with photo ID.
A hacker can still pretend to be you anyway, as the Federal Trade Commission chief technologist discovered when she had her number hijacked by someone with a fake ID using her name and the hacker’s photo. But, still, it’s one more hurdle for potential hijackers.
5. Try Google Voice.
At the moment, it appears you cannot institute a “port” freeze on your number at other carriers, at least according to the Federal Communications Commission. (The major telcos and other industry organizations declined interviews.)
The only service that I am aware of that enables a “port freeze” is Google Voice. (If you are aware of others, please let me know.) When you sign up for a Google Voice number, the default is that the number is “locked” to you, as described in this blog post by Jesse Powell, chief executive officer of cryptocurrency exchange Kraken.
If you don’t want the hassle of changing phone numbers, you can forward your existing number (let’s say the last four digits are 1234) to Google Voice to receive calls and texts there. You’ll then have to sign up for a new line with your carrier for service, but you can mask your outgoing calls and texts to appear to be coming from the 1234 number. Just be sure not to ever give out or use the actual phone number that is on your wireless account and only to give out the 1234 number that is with Google Voice.
If you are a Google Fi subscriber and want to port to another carrier, the service requires you to notify it first, which then gives you a “port out” account number and password to provide to your new carrier. (I’m not sure what happens if a hijacker attempts to port it as portings are typically initiated at the new carrier, but have reached out to Google and will update when I find out.)
How To Protect All Your Online Accounts
1. Create “high entropy” passwords.
Use a password manager that creates long and random passwords for you such as LastPass, or make a set of rules for yourself that will allow you to generate your own random passwords.
Brett McDowell, executive director of the FIDO (Fast Identity Online) Alliance, a group of 250 companies worldwide working on industry standards for stronger authentication, says, “Most people think ‘have a strong password’ means, choose a password that people can’t guess in the seven or eight attempts before you get logged out. No no no. That’s not the only reason.” If the company’s database gets hacked (which you should expect), even if the passwords in it are encrypted, the hacker will have unlimited tries to crack your password. “The encryption process that’s used is harder to crack if the original password has a higher entropy,” says McDowell.
A trick to doing this, if you’re not using a password manager, is to create a high-entropy password of random numbers, upper and lower case letters and special characters. Memorize this. Then come up with a rule that will create a unique password for every website you use.
For instance, if you are creating a new password for United.com, maybe your rule is to take out all the vowels and then take the consonants but shift them all to two letters later in the alphabet. So if your gobbledygook password is 1A@0z# (it really should be longer), then you add WPVF (all two letters later in the alphabet than UNTD) to the middle of it, so your password is now 1A@WPVF0z#.
If applying the same rule to shopbop.com, then it would become 1A@UJRDR0z# (with the middle letters all two letters later in the alphabet than SHPBP). But don’t use the rule I just outlined here — make up your own.
2. Don’t answer security questions truthfully or the same across all sites.
When hackers take a company’s database, they don’t just get the passwords. They also obtain the answers to security questions. Plus, as Chris Hadnagy, chief human hacker of Social-Engineer, pointed out in my article on the phone hijackings, they don’t even need to hack anything to get this information. You probably put a lot of it out on social media yourself.
However, if your answers differ slightly from site to site, that makes it harder for the hacker to get access to any other site. You could use a similar rule to the email one to create unique answers for each site.
3. Do NOT connect your main phone number, the one you protected via the steps above (unless it is managed by Google Voice), to any sensitive accounts.
If you’ve ported your main number to Google Voice and secured that email account, then this likely isn’t necessary since your number is pretty safe from being hijacked. However, if your main number is still at a telco and not managed by Google Voice, then you’ll want to completely divorce your phone number from all sensitive accounts.
Create a brand new Gmail email account. Do not connect it to any of your existing email accounts. (When signing up for a new Gmail, you don’t need to enter a phone number or current email, although there are fields for you to do so. Leave them blank.) Once you’ve created the new island-unto-itself email address, create a new Google Voice number. I would even select a random area code.
Secure this email account with a long, high-entropy password and one of the two methods outlined below — a one-time passcode generator such as Google Authenticator or a FIDO security key.
Then, enter this phone number for any of your online banks or any other sensitive account such as Facebook, Twitter, Dropbox, Evernote, Slack, etc., that have you enter a phone number either for 2FA via SMS or password recovery.
That way, if your regular phone number is hijacked, the hacker can’t get into any of these accounts and reset the password. But you must secure that email address — otherwise, that Google Voice number can be compromised, and then the whole point of this process becomes moot.
4. Use one-time passcode generators.
Passwords can easily be stolen through phishing attacks in which the hacker poses as a legitimate service and asks the user to enter their password on a website doctored to look like that company’s website or via key loggers, in which the target is unwittingly persuaded to download malware onto their computer that then records every keystroke, giving away the passwords to the hacker.
For that reason, time-based one-time passcode (TOTP) generators such as Google Authenticator, in which you have a device with the app generating new codes every 30, 60 or 90 seconds, can be a strong additional second factor. The only way you can enter the correct temporary code is if you have the device that created it. Many services, including Google, Facebook, Twitter, Dropbox, Evernote and others offer this option for security in addition to the password and as a more secure choice than 2FA via SMS.
However, McDowell notes that these are increasingly compromised because they still operate on the same “shared secret” model as passwords. “I still have to give that secret away to use it,” he says. “I still have to type that number into some application, and if I’ve been tricked into typing it into the wrong application, I’ve just given that code to someone else. The thinking used to be, well, so what because it expires quickly, but the attackers are sophisticated. They’re doing real-time attacks and they collect that code and get into that account while you sit there looking at an error message wondering, what did I do wrong?”
A Google executive, in fact, said, at the Cloud Identity Summit in 2015, “A phisher can pretty successfully phish for an OTP just about as easily as they can a password.”
5. Use a security key.
These devices, which are relatively inexpensive, operate on a new FIDO industry standard protocol called universal second factor, or U2F. Again, it starts with the first factor — your password (what you know). The second factor is a what-you-have factor: a physical security key device such as a Yubikey. Some of these devices are USB ones that are inserted into a USB port, and others are Bluetooth or NFC-enabled so you simply hold it near the login screen.
Such a device uses something called public key cryptography where the public key and private key differ. The private key is on your device, and it never goes to the server. It always stays on your device, but when you want to sign in, the server sends a challenge to the device, which in turn challenges the user. You simply have to touch it so that the service knows a human is present and not a bot trying to attack the account, accomplishing the same purpose as CAPTCHA tests online.
It is “not vulnerable to social engineering, never gives away the secret,” says McDowell. “Not only do you not give the private key away, but malware can’t get the private key off the device, so with FIDO authentication with these security keys, I have to physically steal your security key device, in order to compromise your authentication credentials — I can’t do it remotely. I can’t trick you into doing it for me, can’t trick you into getting me into your account.”
6. Use a device that uses biometric authentication.
The public key cryptography method can also be designed for a passwordless experience, set to what’s called the FIDO UAF (universal authentication framework) standard, which requires multiple authentication factors, typically a what-you-have (a device with the private key) and a what-you-are authentication factor such as fingerprint or iris or voice scan via biometric sensors.
However, this doesn’t require the private key to be placed on a separate device such as a Yubikey. The what-you-have factor is your computer or tablet or mobile phone itself, so when you log in this way, it seems to you that there’s only one gesture required — swiping your fingerprint or looking at the camera.
“I touch something, I look at something, maybe I talk to it — it couldn’t be easier from a usability perspective, and it’s an un-phishable, not attackable remotely, an unscalable attack,” says McDowell. “In order to attack a FIDO credential, in the case of multiple credentials, I have to steal your phone then compromise your biometric sensor.” Although this can actually be done, it’s a difficult, time-consuming process (and also probably not very profitable since it’s expensive and labor-intensive and can’t be done at scale), and McDowell says, “in the meantime, you’ve just reported a stolen phone and it’s de-provisioned on the server side, and they can’t get in anyway.”
A few devices out in the market now use this FIDO UAF method, including including Samsung Galaxy S6 and S7, S6 and S7 Edge, Note 5 and Note Edge, as well as some devices by Sony, Sharp, LG Fujitsu and more. And although FIDO is not built into Apple devices, TouchID is open to third party applications, so iOS apps can employ FIDO authentication. For instance, Bank of America offers FIDO on Apple and Android devices.
In conclusion, while these steps may seem time-consuming, they can be accomplished in a few days and can save you the huge hassle, headache and potential losses of having your phone hijacked, your email account compromised, or your financial accounts and other sensitive information hacked