Hackers Have Found a Way to Pretend to be You

Think about everything that’s on your cell phone right now.  Your dog pictures, your banking information, your social media accounts, phone numbers and texts to friends, and maybe even your work email.  We’ve talked about protecting your mobile devices before, and you’ve hopefully set a passcode on it and made sure not to plug it into any unknown USB slots.  You probably even bought a fancy case to protect it in case you drop it, and you never let it out of your sight when you go out.  But what if all of that didn’t matter and a hacker could take over your cell phone? Welcome to SIM jacking.

“Like the video game ‘The Sims’?”

Not quite. SIM stands for “subscriber identity module” or “subscriber identification module”, but you most likely know it as that little card that your mobile phone carrier gives you to put in the slot on the side of your cell phone using a paperclip (check out the image above to refresh your memory).

SIM jacking has become a recent phenomenon, where hackers will call phone companies and either use social engineering (aka tricking someone) or bribes to gain access to your phone number. The hacker will then transfer your phone number to a SIM card they have on hand and then the problems start.  The hacker can intercept phone calls, place phone calls as you, or receive and send texts. Think about when you call a company or a family member and they know it’s you because of your phone number. Or think about how if you receive your multi-factor authentication as a text message, now the hacker has access to that too!

These hacks have been used for everything from stealing cryptocurrency, to emptying bank accounts, to taking over social media accounts, to deleting and resetting computers.

“How can I prevent this?”

Unfortunately mobile phone carriers have been slow to act on this front, but there are actions you can take to prevent this depending on your carrier:

AT&T

1. Set up your “wireless passcode” by going to the myAT&T website

2. Click on on your profile

3. Click Sign-in info

4. Click Get a new passcode to set your “wireless passcode”

5. Enter a new wireless passcode (4-8 digits)

While you’re there, turn on “extra security” to protect your online account as well by going to your profile, then Sign-in info, then Wireless passcode and check Manage extra security.

VERIZON WIRELESS

1. Set up you “Account PIN” by heading to the Change Account PIN website

2. Sign in to your My Verizon account

3. Enter a new Account PIN (4 digits), then re-type the new account PIN in the designated box

4. Click Submit to confirm.

T-MOBILE

1. Set up your “Customer PIN/Passcode” by logging on to the My T-Mobile website

2. Choose a verification method (SMS/text or security questions)

3. Click Next

4. Follow the prompts based on the verification method selected. Once complete, you can set up your PIN/Passcode.  For T-Mobile, it’s 6-15 numbers that don’t meet any of the following:

   1. Sequential (such as 3456789)

   2. Repeating (such as 4444)

   3. The beginning or end of the mobile number

   4. A mobile number on the account or the Billing Account Number

   5. Federal tax ID number, Social Security number, or date of birth

5. On the Set Your PIN/Passcode screen, enter the desired PIN/Passcode and click Next. You will be directed to the My T-Mobile home page

SPRINT

1. Set up your “account PIN” by logging on to the My Sprint website

2. Click on My Sprint

3. Select Profile and security

4. Scroll down to Security information

5. Update your PIN and click Save

GOOGLE FI

Google Fi works a little different than the other major mobile phone carriers, and as such, doesn’t have a PIN to set.  Instead, we recommend you enable multi-factor authentication on your Google account associated with your Google Fi number.  Hopefully it goes without saying at this point, but don’t use SMS/text for your multi-factor option, and instead opt for the Google authenticator app:

1. Go to the 2-Step Verification page on your computer and click Get Started

2. Log in to your Google account, if needed

3. Click Authenticator app to set up the application

4. Select your cell phone operating system (iPhone vs Android)

5. Leave the page and download Google Authenticator on your mobile device and open the app

6. Click Begin setup and then Scan Barcode

7. Scan the code on your computer screen with your mobile device

8. Enter the code that appears on your cell phone onto your computer

“Ok done. Is there anything else I need to do with my SIM?”

Yes, so stay tuned for our upcoming ACT post on SIM locking! In the meantime, how do you make sure your organization stays safe from SIM jacking? Let’s talk about our Cybersecurity Policy and Controls to make sure no one on your team can let SIM jacking bring your work to a halt. Ready to talk? Click the button below to start the conversation.

Follow us - stay ahead.

Read more of the ACT