SecurityThing – Sim Swaps – Hardening Your Cell Phone Against Sim Hijacks: [03/15/2019]
It’s Friday. Time for another Security thing. Today, Craig discusses sim hijacking, how to protect yourself from it by hardening your cell phone against these sim hijackers.
Share This Episode
For Questions, Call or Text:
Below is a rush transcript of this segment, it might contain errors.
Airing date: 03/15/2019
Sim Swaps – Hardening Your Cell Phone Against Sim Hijacks
Craig Peterson 0:00
Hey, good morning, everybody. Craig Peterson here with another Security Thing.
And this morning, we are going to be talking about a guy out again, this is also I think it’s in California. Yes, it is California. And this happened just last month, in fact, sentencing March 14, 2019, and this is what’s called sim jacking. And it’s being used more and more. You know, we are conscious, many of us that our personal information is out there that we really should be keeping an eye on it. We really should be making sure that our personal information is protected. So what do we do? Well, we put new passwords up, user accounts. We’re using 1Password, we’re using Lastpass. But there is a big vulnerability for many people.
Some websites support two factor authentication, also known as 2FA, and that’s a wonderful thing. But the problem is, many of them only support a type of two factor authentication that uses your cell phone to identify you. They send a text message and SMS message to identify you and who you are. So you will go on to the website and you’ll enter your username, your password, and then it’ll say, okay, we just sent a code to your cell phone. What’s that code.
Now, there are much better ways of doing this with two factor authentication. We use USB keys, we use something called Duo on our phones.
So a special message comes through to our phone to an application on her phone that pops up, we have to authorize it. We have biometrics turned on as well, so that it’s a lot safer. But we’re handling other people’s data, right, our customers data, then if you’re handling customer data, or employee data, you should be doing something similar.
Well, in this case, Joel Ortiz was doing something known as a sim swap. And he was able to use to steal $5 million from people there at the school and elsewhere.
What he did is he stole the phone numbers of people that had cryptocurrency accounts.
How do you do that? Well, it’s actually pretty simple. If people’s accounts aren’t set up properly, all you have to do is call the carrier, you know, AT&T, Verizon, T Mobile, whoever might be, called the carrier, pretend to be the person and do what’s known as a port out, you know, how you can change your mobile phone company and still have the same phone number that is called porting your number and a port out is where you call your current provider and say, I’m moving my number out of your service and into another service that’s a port out. So what he did is he had 40 victims.
He called up their phone companies and said, Hey, I’m moving to a new carrier, he provided the sim number for the new phone he wanted to port it to, and they, of course, just went ahead and move the phone number over for him. And you can do it quite simply, you don’t have to change carriers, you can just say I have a new phone, I have a new SIM card and they will port your phone number to that new SIM card.
Then what the guy did is he went online to the crypto repository, if you will, where this Bitcoin is cryptocurrency was stored and he tried to log in, recover my password, they sent the reset to the phone number, which he had control over. And he used that to steal about $5 million in cryptocurrency.
So he’s getting 10 years in prison, but it doesn’t have to be cryptocurrency. This sim hijacking is being used for all kinds of fraud.
So here’s what you need to do. To prevent this. First off, you need to harden your account with your mobile phone provider. Make sure you turn on something like a pin and that you have on your account. AT&T lets you add a pass code to your account at AT&T. Verizon is now requiring every customer to have a pin or password as a primary authentication method. Because remember, they can call using your caller ID even before they do the port out. The SIM hijacking T Mobile has what they call a port validation feature. It’s a pass code separate from the usual pass code. Sprint offers a separate pin you can use. So take a minute, do it right now call your cell phone provider directly.
Explain that you’re worried about criminals taking over your phone number and ask about whatever kind of increased security they might have to protect your account. And then the second thing to do is never link your cell number to your online accounts. Now, I know in many cases, it’s impossible not to. They require your cell number. I’m thinking about PayPal here right off the top of my head. And that’s always bothered me. They don’t have good two factor authentication. All these not that I could find going online. If you know about it, let me know. Send me a note in text me 855-385-5553 and let me know.
But take a minute remove your phone number from any account that could interest hackers. And you know, PayPal is one of those isn’t it.
Use something like Google Voice which is a voice number that is sim hijack proof because there is no sim associated with it.
That’s what I’ve gone to. I’m using a voip number for the verification number. So you obviously have to protect a number using unique password two factor authentication. Making sure doesn’t expire if you don’t use it regularly. But there are a lot of steps that you can take a look at your Gmail, Microsoft, Apple, Twitter, Instagram, Facebook and Amazon account. Anything else that you have, go into your security settings, and try and use something like Google Authenticator or do oh as I mentioned do Oh, do you Oh, is something that we use here for my business to protect our information and our customers in formation and if you’d like to know more, let me know maybe we’ll put together a master class for you guys little free class but you gotta let me know if this is something you think I should do 855-385-5553
Just text me right there and let me know or just email me@CraigPeterson.com. Let me know that you’d be interested in learning more maybe some step by step to stop sim hijacking on your accounts. All right. Take care of the body. We will be back tomorrow with a full radio show my half hour show the turd on terrestrial radio in New Hampshire, Maine, Vermont, and also Massachusetts.
So take care and of course it’s here on podcasts as well. Bye bye.