It's shockingly easy for hackers to hijack your digital life using phone numbers. The public should press Congress and carriers to improve security.
On July Fourth, hackers accessed computers at the social media aggregator Timehop. They stole 21 million user records. Timehop executives quickly realized that the most sensitive compromised records weren’t email addresses, names or even dates of birth. Their top concern was the 4.9 million stolen customer phone numbers.
The mobile phone number has become society’s primary authentication token. If you forget the password to your bank account, you recover it by entering the digits texted to your phone number. That’s how the bank “knows” you’re you.
Compared with email and online banking, there’s almost no security to protect a phone number from being stolen. Using information and tools available easily and cheaply online, “SIM swapping” attacks can be mounted against any phone number.
Once the bad guys have hijacked your phone number, they can reset your email password and lock you out while they systematically take over your online banking, retirement accounts, photos ... every aspect of your digital life. Regaining control can take days — and you might never get back easily transferred assets, like cryptocurrency.
These hacks are the new normal
Once the stuff of dystopian fiction, these attacks now occur quite a bit. Last year, Cody Brown lost thousands while he struggled to convince his phone carrier he was not the person who ported his phone number. A similar attack was launched against venture investor Fred Wilson. He caught it in time, but locking down his cyberlife while in Europe with his family was a huge scramble.
Recently, adult film stars have been under attack. Try as they might, they haven’t gained much attention outside the information security community.
The online world considers mobile numbers more fundamental to identification than Social Security numbers. Yet carriers like AT&T, T-Mobile and Verizon are sales organizations, not security organizations. They sell products, services and at best a sense of security that keeps customers happy if not actually secure.
After the Timehop breach, executives called AT&T, Sprint, T-Mobile and Verizon, offering the list of compromised numbers so they could be monitored for fraud. Two accepted the list. The other two didn’t even respond.
Some large carriers apparently aren’t concerned or don’t fully understand what victims realize very quickly: The bank can’t tell whether the “Lost Password” SMS message they sent to confirm your identity actually went to someone else. To the bank, your number is synonymous with you.
There’s risk from the carriers, too. A huge number of low-level employees are encouraged and empowered to make substantive changes to people’s accounts. How confident are you that every low-wage salesperson at every Verizon shop will resist the temptation to exploit that power?
The risk associated with mobile phone numbers remains obscure partly because it is a high-impact but relatively low-frequency event. It’s easy to send 100 million phishing messages that a lot of people will notice. It takes more time and effort to make SIM swapping pay off, so criminals target individual victims.
Because SIM-swapping attacks have mainly stayed in technical journals not often read by mainstream users, most people don’t pressure the carriers to change anything. Consumers must become more proactive. Set account passwords, insert Do-Not-Port orders on accounts, and let the carriers know that this is important. Nothing short of a public outcry will force needed changes.
Carriers can combat hacking and theft
Carriers have tools at their disposal. For example, they could provide two-factor authentication options for customers to prove they have the real phone in-hand, and they could require their customers use it.
But that’s not enough. Carriers also must be less cavalier about giving employees the power to manipulate accounts. Impose better oversight and require more proof of identity before letting staff make changes.
If carriers refuse to act, people should lobby elected officials and regulators. The Federal Trade Commission could, for example, tighten porting rules forcing carriers to take better steps to protect customer accounts while enabling a friction-free competitive environment. Congressional staffers say they’re gridlocked over the role of the government in cyber issues like this. Telling Congress we care is a good first step to breaking that gridlock.
Mobile phone numbers serve as the single most important identifier we have in our society. Having them less protected than a Twitter password is just not acceptable.
Nick Selby advised Timehop on its incident response. He is co-author of Cyber Survival Manual: From Identity Theft to The Digital Apocalypse and Everything in Between.