Look at your phone and ask yourself, do you rely on that tiny device for your business dealings? Your important family notifications? Your link to the outside world? If the answer to any of these is “yes” then it is critical you be aware of the rise in phone porting scams, and how they can affect you and your business. According to the New York Times, there were 1,038 documented cases of phone porting incidents in 2013, and that number jumped to 2,658 in 2016. In February of this year, there was a resurgence in this type of attack, largely on the T-Mobile network, potentially due to a vulnerability that allowed sensitive data to be pulled with a phone number due to a faulty API process, or the 2015 T-Mobile customer information breach. This epidemic is, however, not limited to one carrier or country, but is an international issue. Last summer Deborah Brodie of Australia was interviewed about the effects a phone porting scam had on her business, where customers and clients were unable to reliably contact her for five days.
How does it happen?
Using Open Source Intelligence (OSINT) combined with technical knowledge, malicious actors are able to get information on individuals’ telephone numbers and their carriers. In some cases, the attackers may have also obtained access to the victim’s account password through leaked data, hacking, or social engineering attacks like phishing and vishing. AT&T even suggests impersonation is used, where attackers will create a fake identity by using a victim’s information gathered through OSINT to walk into a store and port a number to a new device in person. Once porting has occurred, the attacker gains access to all of the information stored with, and processes that involve, your phone number.
What are they looking for?
In many cases, attackers are looking for quick financial gain. There is evidence of porting scams used to lift cryptocurrency wallets and bank information. Many default two-factor-authentication (2fa) processes send codes to a cell phone number and once the attacker is in possession of the number they can use 2fa to reset the password on a bank account, PayPal account, or a crypto-wallet. Additionally, some email providers use a mobile number for 2fa, which can provide an attacker limitless access to your emails.
Once an attacker has ported a number, it can be extremely challenging to port it back once passwords and accounts have been reset. Using your ported number and social engineering techniques like vishing, where an attacker will call entities fraudulently over the phone, attackers can not only change your passwords, but can alter your security questions and lock you out of your own accounts. This can provide attackers multiple days to utilize your mobile number and accounts as their own. Not only are your finances at risk, imagine the amount of corporate intelligence that could be acquired on your business during that time. Depending on the attackers’ goals, phone porting can expose the internal workings of your role and organization, which could be volleyed into further, deeper, and more damaging attacks on your company. The depths of this damage could go undiscovered for months or years. Furthermore, the information that can be gathered on you and your loved ones should make any individual shudder.
How do you know if your number has been ported?
There are accounts of users noticing their phone number has been ported when their cellular device suddenly and unexpectedly loses service, and only SOS or emergency calls are available. Other indicators may be unexpected confirmations from your banking or financial institution acknowledging changes to sensitive account information or money transfers. You may even receive an alert from your cellular provider that your password has been changed, though you were not the one to change it.
How to protect yourself and your business
Until telecommunication companies and banking entities realize the insecurity of their processes, it is up to the end-user to keep themselves and their business safe. Most phone companies will now allow users to set a 6 to 14-digit Personal Identification Number (PIN) that is required for access to the account. It is advised that you contact your cell phone provider, and the cell phone provider of any business accounts you may operate, immediately to set this additional layer of security.
According to Krebs on Security, US based cellular carriers have different ways to achieve this;
- T-Mobile users can dial 611 from their phone at any time to have port validation added to their accounts,
- Verizon users can set their PIN through their online portal, or in a store,
- Sprint requires you utilize a PIN, and
- AT&T has a system dubbed “extra security” that requires a code before changes are made.
When choosing a PIN or a code, do not choose something discoverable through OSINT or a number used elsewhere. This excludes your social security number, current or former phone numbers, and street addresses among others.
Also, whenever possible use more secure 2fa providers, such as Google Authenticator, Duo, or Authy, instead of using 2fa connected to your mobile number.
Furthermore, be aware of where your phone number is listed, or where access to it may be found. To further protect your information, you can enroll in a Voice-over-IP (VoIP) service, like Google Voice, to establish numbers unique to sensitive accounts, like your financial institutions or voter registration, as in many states this is publicly disclosed. Then, do not share that number with other entities or individuals. If you are running a business, be sure to limit who has access to the corporate cellular account and ensure it is protected by a secure PIN, and not only a single person’s social security number. Utilizing different phone numbers, be they VoIP or a separate phone, for your corporate account and your personal account will add another layer of protection.
As always, think critically, stay vigilant, and hold your vendors accountable.