What’s Your Number? How to Avoid Port-Out Scams.
The bad news: Our phone numbers are out in the world—tied to various accounts and apps—and bad actors have ways of getting their hands on them. The good news: When someone asks for your phone number at a bar, you have another legitimate reason to decline. (Simply not wanting to is also a legitimate reason.)
Though our phone numbers seem like an innocuous piece of information about us, they can be dangerous when in the wrong hands. Here’s what hackers can do with your number, how they find it, and what you can do to stop them.
Your number is all over the internet
When you create a profile for a new social app, you’re often asked to provide a phone number—think: Clubhouse, Hinge, etc. Should you forget your passwords, phone numbers are also often used as a backup to access your online accounts, including your email. Various online purchases require a phone number, and many of us use our phone numbers for multifactor authentication.
So how does your phone number end up in the wrong hands?
How a hacker gets your digits
Unfortunately, just telling a hacker they can’t have your phone number isn’t an option. Here are two ways one might siphon your info, one more likely these days than the other:
- The old-fashioned way: Run-of-the-mill sorting through trash to find your old paper phone bill. (What year is it?)
- How you'd expect: Data leaks, info dumps, and PII collections from those various apps and accounts we listed above available for sale or exposed for free, likely on the dark web.
What they can do with this information
Little did we know those spam calls telling us our car was past its warranty were just the beginning. There are actually more damaging things a hacker can do with your cell phone number, including:
Also known as “porting,” this is when a hacker transfers your number to a new carrier. Using phishing or other methods, a bad actor gains enough personal information on you that they can contact your cell phone provider and “port out” your number to their own SIM card, then proceed to make calls and text as if they’re you, including taking over the accounts where you use your phone number as a backup for password resets.
SIM card cloning
More elaborate and less common, if a hacker has the right technology, they can scan your SIM card’s ID number if it’s nearby. Most phones have built-in security to prevent this, so the attacker would likely need a physical SIM card to pull this off.
As Hackernoon put it, with your phone number, a hacker becomes you. They can now:
- Reset passwords to accounts tied to you number to gain access
- Reach out to your contacts using phishing techniques to gather more personal information or engage in more social engineering
What to do before a port-out scam happens
Cyberattackers and port-out scams may be clever, but it’s possible to stay a step ahead. Here are ways to protect your number and your identity:
- Call your cell service provider and enable two-factor identification. To ensure that going forward only you can port out your phone number, ask your service provider to create a secondary password or security code. Make sure it’s a unique, strong code or password.
- Switch to multifactor authentication that doesn’t require your phone number. Authenticator apps like Duo give you a short window of time to authorize access to an account, making this method extremely secure. Plus, you can install the app on your phone, but you don’t need to share your phone number with the app. Additionally, physical security keys, like Yubikey, can act as authenticators and need to be physically plugged into your USB or held near your device, making it nearly impossible for a hacker to get their hands on it.