You’re smart about online security, right? Sure! You use two-factor authentication on all your accounts, you don’t use dodgy WiFi, you make sure to put a passcode on your phone, and you keep it with you at all times, never out of your sight. Unfortunately, that’s not enough to protect you. Because it only takes one thing to hijack your whole digital life: Your ten-digit mobile number.
The hack attack
Fraud by phone number theft is an increasingly growing problem, the New York Times reports.
Here’s how it works: Some criminal gets your phone number. They call up the carrier — Verizon, AT&T, T-Mobile, and so on — and say they’re getting a new phone, and ask to have the number ported to it.
Once they’ve got that phone number connected to a device they control, they can use it to reset the passwords on every single account you’ve got that uses your phone number as a security backup.
In Jan. 2013, the Times says, there were 1,038 incidents of this type reported to the Federal Trade Commission; by Jan. 2016, that number had well more than doubled, to 2,658.
Pretty much everyone is at risk
The problem is, your phone number is everywhere.
As Wired recently observed, your mobile number is your all-purpose, universal ID, tying you together. You might have different usernames and passwords on different sites, but Amazon, Facebook, and Twitter all have the same phone number for you that your bank and health insurance company do.
Think about how many times you give out your number in a given year, or even a given month. Every time you shop somewhere, every time you sign up for a website, every time you fill out a form at a doctor’s office, every time you apply for a job, every time you start texting someone about a date — your mobile number is in hundreds of hands and thousands of databases, and from there it can be extremely easy to lose or steal.
But the fallout can be enormous. How many of your critical accounts — your email especially, which then links to all others — are linked into your phone? And any you have two-factor authentication enabled for (which should be as many as possible) likely also use your phone, either to send codes to by text message or through an authenticator app.
In short, this kind of attack can hit literally anyone who uses a mobile phone — even if you’re the chief technologist for the FTC.
Being at risk doesn’t necesessarily make you a target
The Times points out one critical thing: People who are going to go to this much work usually want something out of it. And while major cultural or political figures may well become targeted simply for being who they are, most of us simply aren’t that important.
But money, now — that’s a motivation as old as time. And bitcoin and other cryptocurrency miners are the ones being hit, the NYT notes.
If someone raids your bank account, you can report the fraud and get the charges reversed, eventually. There are records and laws that protect you. But if someone raids your bitcoin wallet and drains it, well — tough luck. That virtual money is designed to move that way.
One “bitcoin entrepreneur” tells the Times that everyone he knows who invests in bitcoin “has gotten their phone number stolen,” and that includes people in their circles, like his wife and parents.
In some recent cases, hackers have managed to commandeer accounts even when victims know they’re being actively targeted and have alerted their carriers, the NYT adds.
Experts both Wired and the New York Times spoke with stressed that the vulnerability of the common phone number is basically a surprise side-effect of the digital world we’ve built. And the weakest link, as is common, is human nature.
Companies like Verizon can put notes on an account, and put security procedures in place, to try to prevent this kind of attack. And to a large extent, they do. But the people on the other end are still fallible.
Attackers “will sit and call 600 times before they get through and get an agent on the line that’s an idiot,” one victim told the NYT, delivering “sob stories” about “an emergency that required the phone number to be moved” until someone believes them.
If your number is unfortunately stolen and used for this kind of fraud, you can hit up the checklist at IdentityTheft.gov to notify the appropriate authorities and start putting your life back together.