What Happens When Someone Hijacks Your Phone?
Digital security is a perennial hot topic. In the wake of phishing scams, misuse of personal data and malware, the world has been placed on perpetual high alert for security threats to our PCs. But, personal computers are no longer our only route to access the online world. As our usage of mobile devices increases, are we applying the same level of care and caution to our cell phone as we would to our computer?
There are currently over 2.53 billion smartphone users worldwide, with the staggering stat line of 66.5% of people around the globe owning smartphones. That’s 66.5% of the population carrying around a small, valuable computer in their pocket or handbag. As cell phones have adapted, they’ve become a goldmine of personal information. We do our banking, shopping and socializing on our phones without a second’s thought to entering all of our precious personal data.
But, with the rise of smartphones, there has also been a rise in people wanting to exploit our more relaxed attitudes to security. Mobile phone hijacking (also known as SIM swapping or porting) is on the rise. Reports to the Federal Trade Commission between 2013 and 2016 more than doubled — from 1,038 incidents to 2,658. It’s a rising threat that can have serious consequences.
TLDR Partner, and former Supervisory Special Agent at the FBI, Jason Truppi shares his advice on how to be aware of cell phone hijacking and what you can do to prevent it.
What Is Phone Hijacking?
Phone hijacking occurs when an attacker takes over control of your phone number. This is done by social engineering (conning) your service provider into moving your number to a device that’s in the attacker’s control, or transferring or ‘porting’ your number to another carrier.
All a potential hijacker needs to port your number is the last four digits of your social security number and a fake ID. Sometimes even less. If they don’t have that information they may use a convincing story about a lost or damaged phone and make it seem credible with easily accessed information like birth date and address.
If the company is convinced, they can port the number to a new device that the attacker has full control of and disconnect the victim’s phone. Jason explains the risks of phone hijacking:
“Phone hijacking is performed so the attackers can exploit the password reset functions for email, banking, social media, and other online accounts. Many online services utilize a phone number to send one-time pin codes to a user via SMS as a second factor of authentication. Once the attacker transfers your number to a device in their control, they will reset your password using SMS. Once logged into your accounts, they begin to move laterally through other accounts that require password resets through email and other sources. Within hours, many of your accounts can be hijacked and out of your control.”
And, it’s not just passwords that hijackers will target. Often they will utilize whatever information they can get their hands on. Think about the information your phone holds besides your passwords. It’s full of personal photographs, contacts, and signed-in social media accounts. All of this can be exploited.
“Once the attackers gain a foothold into your social media accounts, they may choose to elicit money transfers from your various contact lists in the form of cryptocurrency. They may even try to extort the victim by posting offensive and/or abrasive posts on your social media accounts like Twitter and Telegram, or steal secret keys to your crypto wallets through Evernote or OneNote.”
How Can I Tell If My Phone Has Been Hijacked?
While the thought of your phone being hijacked may be terrifying, being aware can be protection in itself. According to Jason, there are a few signs that your phone may be compromised:
“The biggest telltale sign of your phone being hijacked is a loss of service. If your service seems to be off for an extended period of time, in a known good area of service, it’s possible your phone has been ported.”
You may also notice that you’re receiving unexpected texts with authentication codes as the attacker tries to breach your online accounts. If either of these things happens you need to contact your service provider, financial institutions and any companies that sent you authentication codes immediately from a secondary device. You should also disable any phone number forwarding services you may have activated.
What Can I Do To Prevent Phone Hijacking?
Prevention is better than cure. By taking a few simple steps you can protect yourself and your personal data. As a former Supervisory Special Agent at the FBI and Director of Endpoint Detection and Response at Tanium, digital security and prevention is always at the forefront of Jason’s mind:
“Most cell phone service providers allow you to put a pin in place to prevent carrier porting and/or internal changes to your account. But be aware, these pins are two different pins that perform different protections. If you’re unsure, then ask your carrier which pin protects which type of vulnerability.”
A pin can be your strongest defense against potential phone hijacks — as long as you’re careful with pin choice. Don’t go for the obvious, such as important birthdays or addresses. You should choose a pin that cannot be guessed by easily searchable personal information.
“Many online services now allow for soft token-based, or push-based two-factor authentication and allow you to pick password reset options. Soft token and push-based authentication methods are tied to specific devices rather than a phone number, which means attackers cannot get access to your codes if they don’t have your phone or other device. Once you enable these alternate methods, turn off the SMS 2FA for those accounts to further secure them.”
For services that haven’t implemented the alternative authentication methods consider having a backup phone number that you give to no one. You can still use this phone through safer VOIP services like Google Voice that can mask your actual phone number.
Remember, while it may be scary to consider the possibility of your phone being hijacked, awareness is your key defense. In our previous article, Physical Security in the Crypto Space, TLDR’s Chief Operating Officer and former Navy SEAL, Chuck McGraw, spoke about how important situational awareness is, and stated that the biggest threat to personal security is apathy:
“Sometimes we live our lives unaware, not accepting that there are potential bad actors out there who want to negatively affect us. People can be like ostriches with their heads in the sand. You don’t have to live your life in fear, but be a realist. Don’t be a victim.”
By being aware of the potential risks, we build up good security hygiene and that is what protects us from threats such as phone hijacking.
The TLDR Recap
- Mobile phone hijacking often occurs through social engineering.
- Phone hijacking is when an attacker takes control of your phone number allowing them access to password reset functions, social media accounts, and personal data.
- The telltale sign of your phone being hijacked is a loss of service.
- If you suspect your phone has been hijacked, contact your service provider immediately.
- Speak to your service provider about ways to prevent simple account porting.
- Be wary of SMS two-factor authentication.
How Can TLDR Help?
Security is an integral part of TLDR’s goals and identity. TLDR have a dedicated security team who utilize their knowledge and a passion for digital security to guide and advise you into building up safe and secure routines that will become as second nature as brushing your teeth.
Our team of experts includes veteran cyber FBI Special Agents Andre McGregor and Jason Truppi, and Navy SEAL Chuck McGraw, who all use their respective, decades-long experience in digital, operational, and personal security to help you feel more safe, secure and prepared.
If you’re interested in finding ways to collaborate and partner with TLDR, don’t hesitate to reach out here.
Find out more about TLDR. Check out our social channels below:
Website: tldr.global
Twitter: @TLDR_Global
LinkedIn: linkedin.com/company/tldr-global
Medium: @TLDR_Global
This article is based on views and information held by TLDR on publication date and may be subject to change, although TLDR does not undertake to update them. Nothing contained herein constitutes investment, legal, tax or other advice, nor a recommendation or solicitation of an offer to buy or sell any securities or to adopt any investment strategy. No representation or warranty, express or implied, is made or given by or on behalf of TLDR as to the accuracy and completeness or fairness of the information contained in this article.