Mar 15, 2019
It's Friday. Time for another Security thing. Today, Craig discusses sim hijacking, how to protect yourself from it by hardening your cell phone against these sim hijackers.
These and more tech tips, news, and updates visit - CraigPeterson.com
---
Related Articles
---
Below is a rush transcript of this segment, it might contain errors.
Airing date: 03/15/2019
Sim Swaps - Hardening Your Cell Phone Against Sim Hijacks
Craig Peterson 0:00
Hey, good morning, everybody. Craig Peterson here with another
Security Thing.
Craig 0:13
And this morning, we are going to be talking about a guy out again,
this is also I think it's in California. Yes, it is California. And
this happened just last month, in fact, sentencing March 14, 2019,
and this is what's called sim jacking. And it's being used more and
more. You know, we are conscious, many of us that our personal
information is out there that we really should be keeping an eye on
it. We really should be making sure that our personal information
is protected. So what do we do? Well, we put new passwords up, user
accounts. We're using 1Password, we're using Lastpass. But there is
a big vulnerability for many people.
Craig 1:05
Some websites support two factor authentication, also known as 2FA,
and that's a wonderful thing. But the problem is, many of them only
support a type of two factor authentication that uses your cell
phone to identify you. They send a text message and SMS message to
identify you and who you are. So you will go on to the website and
you'll enter your username, your password, and then it'll say,
okay, we just sent a code to your cell phone. What's that code.
Craig 1:41
Now, there are much better ways of doing this with two factor
authentication. We use USB keys, we use something called Duo on our
phones.
Craig 1:51
So a special message comes through to our phone to an application
on her phone that pops up, we have to authorize it. We have
biometrics turned on as well, so that it's a lot safer. But we're
handling other people's data, right, our customers data, then if
you're handling customer data, or employee data, you should be
doing something similar.
Craig 2:12
Well, in this case, Joel Ortiz was doing something known as a sim
swap. And he was able to use to steal $5 million from people there
at the school and elsewhere.
Craig 2:28
What he did is he stole the phone numbers of people that had
cryptocurrency accounts.
Craig 2:39
How do you do that? Well, it's actually pretty simple. If people's
accounts aren't set up properly, all you have to do is call the
carrier, you know, AT&T, Verizon, T Mobile, whoever might be,
called the carrier, pretend to be the person and do what's known as
a port out, you know, how you can change your mobile phone company
and still have the same phone number that is called porting your
number and a port out is where you call your current provider and
say, I'm moving my number out of your service and into another
service that's a port out. So what he did is he had 40 victims.
Craig 3:24
He called up their phone companies and said, Hey, I'm moving to a
new carrier, he provided the sim number for the new phone he wanted
to port it to, and they, of course, just went ahead and move the
phone number over for him. And you can do it quite simply, you
don't have to change carriers, you can just say I have a new phone,
I have a new SIM card and they will port your phone number to that
new SIM card.
Craig 3:50
Then what the guy did is he went online to the crypto repository,
if you will, where this Bitcoin is cryptocurrency was stored and he
tried to log in, recover my password, they sent the reset to the
phone number, which he had control over. And he used that to steal
about $5 million in cryptocurrency.
Craig 4:15
So he's getting 10 years in prison, but it doesn't have to be
cryptocurrency. This sim hijacking is being used for all kinds of
fraud.
Craig 4:27
So here's what you need to do. To prevent this. First off, you need
to harden your account with your mobile phone provider. Make sure
you turn on something like a pin and that you have on your
account. AT&T lets you add a pass code to your account at
AT&T. Verizon is now requiring every customer to have a pin or
password as a primary authentication method. Because remember, they
can call using your caller ID even before they do the port out. The
SIM hijacking T Mobile has what they call a port validation
feature. It's a pass code separate from the usual pass code. Sprint
offers a separate pin you can use. So take a minute, do it right
now call your cell phone provider directly.
Craig 5:20
Explain that you're worried about criminals taking over your phone
number and ask about whatever kind of increased security they might
have to protect your account. And then the second thing to do is
never link your cell number to your online accounts. Now, I know in
many cases, it's impossible not to. They require your cell number.
I'm thinking about PayPal here right off the top of my head. And
that's always bothered me. They don't have good two factor
authentication. All these not that I could find going online. If
you know about it, let me know. Send me a note in text me
855-385-5553 and let me know.
Craig 6:01
But take a minute remove your phone number from any account that
could interest hackers. And you know, PayPal is one of those isn't
it.
Craig 6:09
Use something like Google Voice which is a voice number that is sim
hijack proof because there is no sim associated with it.
Craig 6:21
That's what I've gone to. I'm using a voip number for the
verification number. So you obviously have to protect a number
using unique password two factor authentication. Making sure
doesn't expire if you don't use it regularly. But there are a lot
of steps that you can take a look at your Gmail, Microsoft, Apple,
Twitter, Instagram, Facebook and Amazon account. Anything else that
you have, go into your security settings, and try and use something
like Google Authenticator or do oh as I mentioned do Oh, do you Oh,
is something that we use here for my business to protect our
information and our customers in formation and if you'd like to
know more, let me know maybe we'll put together a master class for
you guys little free class but you gotta let me know if this is
something you think I should do 855-385-5553
Craig 7:14
Just text me right there and let me know or just email
me@CraigPeterson.com. Let me know that you'd be interested in
learning more maybe some step by step to stop sim hijacking on your
accounts. All right. Take care of the body. We will be back
tomorrow with a full radio show my half hour show the turd on
terrestrial radio in New Hampshire, Maine, Vermont, and also
Massachusetts.
Craig 7:44
So take care and of course it's here on podcasts as well. Bye
bye.
---
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Message Input:
Message #techtalk
Follow me on Twitter for the latest in tech at:
For questions, call or text:
855-385-5553