Over the past few weeks, T-Mobile users have reported receiving strange texts warning them of “phone number port out scans”.
T-Mobile has confirmed that they have been sending out texts warning their customer base of an uptrend in phone hijacking scams.
While appearing odd, the company has confirmed that it is messaging their entire post-paid customer base, and has been doing so for several weeks.
The attack is relatively simple to execute. An attacker will collect personal information about their victim, then call T-Mobile pretending to be that person. They’ll either request T-Mobile to transfer the phone number to a new provider, or ask for a new SIM card to be tied to that number. Once T-Mobile has done so, the scammer will control the number, and then can exploit it by using it to bypass 2-factor authentication, for banks, stock trading sites, and other sensitive places.
A T-Mobile spokesperson told Gizmodo: “Port out fraud has been an industry problem for a long time, but recently we’ve seen an uptick in this illegal activity … We want to make sure our customers [are] aware of this risk and encourage them to add extra security features to their accounts.”
If you use T-Mobile as your provider, T-Mobile recommends you call customer service and set up a port validation PIN. This will tie a 6-to-15 digit PIN you set up to your account, so if someone calls in trying to transfer the number, they’ll need to provide that PIN for it to go through. This PIN should differ from any other PIN you use elsewhere, so no one can guess it.
Even if you do not use T-Mobile or another provider that allows for such a PIN, you should also consider moving away from SMS/phone calls as your second form of 2FA. Several secure apps, such as Authy and Google Authenticator, generate secure one-time passcodes that remove the need for a phone number. Security questions don’t work as well as specialized authentication apps, but can work better if the answers are false or consist of random strings.
Secure Compliance Solutions is the trusted security advisor for Chicagoland’s small-to-medium businesses. We offer a variety of services that promote a strengthened security posture and a culture of compliance. Our solutions include: risk advisory services, strategic cybersecurity planning, security and privacy awareness, regulatory guidance, penetration testing, and managed security services. We tailor our engagements and solutions to align with your cultural needs and business objectives; not the other way around. We keep your appetite for risk, budget constraints, and timeline in mind to define strategy and operational tactics that maximize your return on investment. At SCS, we help you navigate the course of your cybersecurity journey.