Preventing cell number hijacking with Verizon

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
learning_head
Posts: 836
Joined: Sat Apr 10, 2010 6:02 pm

Preventing cell number hijacking with Verizon

Post by learning_head » Wed Jan 31, 2018 9:51 pm

There are plenty of stories on these forums and other places regarding hacks / hijackings of cell phone numbers in order to break into financial accounts by resetting passwords on them using the stolen phone number / email.

2 attacks that are described: someone pretending to be you
- ports your number to their carrier, or
- moves your number to their new sim card with same carrier

Has anyone had any luck on trying to prevent this with Verizon?

For example, this article suggests:
You need to call VZW and tell them you want to lock down your phone number and account and everything else on your account, too, including other phones and tablets.

You may have to help the VZW rep know what to do.

Here’s what to say:

Tell VZW you want a “port lock” on your account so someone cannot easily just port your phone number to another wireless company using the other company to initiate the phone number change.

Ask VZW to place a “fraud alert” flag on your account that will pop up every time you call. That should put the VZW rep on notice that you have had ID security threats in the past and to be extra cautious for any sudden account modifications that seem out of spec.

Ask VZW to NOT use your SSN for ID.

Have VZW lock your SIM card to your phone — so someone cannot easily “SIM swap” your phone number to their burner phone.

Put a PIN lock on your account — so when you call — someone cannot easily make changes to your account, including unlocking everything you set to be locked.
When I called a few times, I got nowhere... Reps are clueless and don't know which department would handle this. Fraud department does not take calls until fraud has taken place.

Any success stories out there? If so, what have you been able to do and how did you manage to do so?

Best they could do for me is notate the account to not allow ports but who knows if that note will be visible enough. Also, this does not help for SIM switch attacks where instead of porting the phone number out, hackers switch your phone to their own SIM with same carrier.

Verizon also said porting out numbers requires knowing my pin; however, all the horror stories don't seem to mention it. I suppose hackers can pretend they forgot the pin.

User avatar
PaddyMac
Posts: 1480
Joined: Fri Jul 09, 2010 10:29 pm

Re: Preventing cell number hijacking with Verizon

Post by PaddyMac » Wed Jan 31, 2018 10:35 pm

I have a Mac and a laptop and an iPad. We don't use our iPhones to access any of our bank accounts, and especially not Vanguard account. I only sign onto Vanguard from our Mac and I keep the password on paper only, not in the Mac itself. Whatever I might need to do can wait until I get home.

I don't give our cel number to our banks or Vanguard. They have to use the home land line. Good luck hacking that.

learning_head
Posts: 836
Joined: Sat Apr 10, 2010 6:02 pm

Re: Preventing cell number hijacking with Verizon

Post by learning_head » Wed Jan 31, 2018 10:37 pm

@PaddyMac

1) Your home landline can be ported away too unless you have a port freeze on it.

2) Note that I don't access any banking related sites from my phone either. It's only used (a) as second factor in 2-FA, in addition to password and (b) for various banking alerts about any activity on the accounts. Are you saying using 1-factor authentication (your password) is better than 2-factor authentication using SMS + password for logins? From what I read, general recommendation is still to use SMS 2-factor authentication (if you can't use anything better like authenticator app); but it does seem like 2-FA may hurt you if they steal your phone because then they use it against you to reset your password. Then again, if someone wants to reset your password, they would need your landline anyway, so you might as well setup 2-FA (e.g. with a call to your landline) to get the benefits. Am I thinking about this right? Do you have any alerts about financial transactions going to you via SMS?

Katietsu
Posts: 1575
Joined: Sun Sep 22, 2013 1:48 am

Re: Preventing cell number hijacking with Verizon

Post by Katietsu » Wed Jan 31, 2018 11:24 pm

Yes, Verizon requires that you provide both the account number and the PIN to port the phone number. I believe this information is also required to move the number within Verizon unless you are there with photo ID in person. Quite frankly, I know a lot of people who have been unable to port their number because they did not have the PIN so they take this seriously. Sometimes cell phone switches are an inside job, so a fraud alert wouldn’t help. In the world of protecting yourself from identity theft, I would not spend much time on this one.

learning_head
Posts: 836
Joined: Sat Apr 10, 2010 6:02 pm

Re: Preventing cell number hijacking with Verizon

Post by learning_head » Thu Feb 01, 2018 1:10 am

Thanks for the info, Katietsu. That makes me feel better... However,

- the stories out there indicate that crooks indeed come in with fake photo id's to a shop in order to hijack the numbers.

- also, what happens if you forget your pin number? Last time I reset this over phone (not even in person), I think they just ask some minimal info before allowing me to reset the pin. To be honest, it's been a while, so I don't recall all the details other than thinking they did not ask me much.

- do you also need the pin for SIM swap? I.e. someone calls in saying I lost my phone and/or got myself a new one and want to switch the number to the new sim card.

TropikThunder
Posts: 1032
Joined: Sun Apr 03, 2016 5:41 pm

Re: Preventing cell number hijacking with Verizon

Post by TropikThunder » Thu Feb 01, 2018 1:15 am

learning_head wrote:
Thu Feb 01, 2018 1:10 am
- the stories out there indicate that crooks indeed come in with fake photo id's to a shop in order to hijack the numbers.
That sounds more urban legend than realistic threat. So a hacker would have to know the name of a person with a lot of investments, know their phone number and carrier, and THEN make a fake ID just to port out the number? And you don't go to the current provider to port out, you go to the new company. Carrier don't port out numbers, because they don't have access to the systems of the carrier it's going to. Even then, how does stealing my phone number allow someone to change my Vanguard password? Having my phone number (but not my actual phone) doesn't give you my email address or account logins. I don't have enough tin foil to make a big enough hat to buy this.

learning_head
Posts: 836
Joined: Sat Apr 10, 2010 6:02 pm

Re: Preventing cell number hijacking with Verizon

Post by learning_head » Thu Feb 01, 2018 8:30 am

TropikThunder wrote:
Thu Feb 01, 2018 1:15 am
learning_head wrote:
Thu Feb 01, 2018 1:10 am
- the stories out there indicate that crooks indeed come in with fake photo id's to a shop in order to hijack the numbers.
That sounds more urban legend than realistic threat. So a hacker would have to know the name of a person with a lot of investments, know their phone number and carrier, and THEN make a fake ID just to port out the number? And you don't go to the current provider to port out, you go to the new company. Carrier don't port out numbers, because they don't have access to the systems of the carrier it's going to. Even then, how does stealing my phone number allow someone to change my Vanguard password? Having my phone number (but not my actual phone) doesn't give you my email address or account logins. I don't have enough tin foil to make a big enough hat to buy this.
This is part of the problem - until people encounter this, they won't get worried and both carriers and the government are behind on addressing this. I've heard of same issue a while ago and dismissed it just like you did. Then it happened to someone I know online. Then it happened to someone I know in real life. If you google it, you will find all kinds of schemes that are popping up more and more.

None of this is difficult or expensive for crooks. You identify some potential targets. They don't have to be super rich or have "lot of investments". They just have to be worth your time, which is about few hours worth of "work". You can find them online and articles and linked-in and via stolen info on the darkweb and via company websites. You can find their phone number easily in various publications or forums or again info on the darkweb, etc. Reverse lookup on the # gives you the carrier in seconds. Fake ID is simple enough to make for a crime ring. Takes few minutes. Then you go in to
- either same carrier to claim you lost your phone and want the phone transferred to this new SIM on your new burner (i.e. temp phone) until you buy a new real one
- or go to different carrier asking them to port your old number from old carrier
- or phone in with same requests.

I think with some scams your history gets ported along with the phone number. In other cases, they don't need the history and/or have info on you from various breaches. In both cases of people I am familiar with, it seems like crooks either got more info from the phone itself or had some more public info.

One they control your phone number, they can ...
(a) go straight to your bank login page (can try big ones first and if you have history of texts, may get an ideas of which bank is used from there, or see (c) below to get into email and find target's banks or again look at that info you bought on your targets from the breaches like Equifax. Click on link that says you forget your username. Usually banks don't ask for too much personal info to give you your username. Username is easy to get to. Try it with yours...
(b) go back to main bank page and now enter the correct username and click on link that says you forgot your password. Here is the most important part: to reset the password, the banks send a text to your phone that the crooks now control. Now, they are in your bank account...
(c) alternatively, reset your email password using same steps as (a) but with email provider. Finding your email address out there is often easy for people too! Once they are in your email, they can see which banks are sending you info. Go to those banks and repeat step (b) and this time they can use email as well since they control it too.

tev9876
Posts: 116
Joined: Thu Sep 14, 2017 9:12 am

Re: Preventing cell number hijacking with Verizon

Post by tev9876 » Thu Feb 01, 2018 9:26 am

I didn't think much about this topic until reading this thread here on bogleheads.
viewtopic.php?f=2&t=228799&hilit=stolen+retirement

My cell phone is company owned so I don't have administrative rights to anything related to the Verizon billing. Apparently I'm on a "family" plan with 99 other people. Our IT department takes care of everything including ordering new phones, paying bills, etc. I have no idea how many people in IT have access to the spreadsheet they use to track everyone's information or who is actually authorized to make changes at Verizon. The same people probably have access to HR network files that could give them plenty of personal data if they decided to go over to the dark side.

My personal number was ported to Google Voice a few years ago when I got tired of carrying two phones. This number also rings through to my Verizon phone, plus I can call/text from just about any device that can log into Google. This seems to be a more secure setup as you must go to Google to unlock your number and pay a $3 fee before it can be ported out. Since I use two factor authentication on my Google account, this should be a pretty good roadblock for an identity thief. I went through and removed my Verizon number from bank and retirement accounts and only have the GV number attached to them.

learning_head
Posts: 836
Joined: Sat Apr 10, 2010 6:02 pm

Re: Preventing cell number hijacking with Verizon

Post by learning_head » Thu Feb 01, 2018 10:32 am

Thanks tev9876,
tev9876 wrote:
Thu Feb 01, 2018 9:26 am
I went through and removed my Verizon number from bank and retirement accounts and only have the GV number attached to them.
I found that some banks / credit unions don't work with GV for sending alerts on various activities. For security reasons, I like to be texted whenever some activity is happening on my financial accounts. What do you do for those?

Unfortunately, I don't believe the banks distinguish phone used to send alerts vs phone used to recover "forgotten" password :-(

tev9876
Posts: 116
Joined: Thu Sep 14, 2017 9:12 am

Re: Preventing cell number hijacking with Verizon

Post by tev9876 » Fri Feb 02, 2018 4:08 pm

I have not run into that. I did run into an issue with my Pixel XL and an Android update that disabled text messages to the Verizon number for a couple months - it was a known bug for a small group that took months for Google to patch. I didn't realize it at first - just thought the text didn't go through when I had to reset something, so I tried the GV number and all was good.

I really only worry about my retirement and bank (cash) accounts. If someone hacks my credit card only accounts at Chase, Citi and so on I don't really care as it is not my money so I have both phone numbers there.

I've also gone to the Google Authenticator app instead of a text message for gmail. Even if they port my number they won't have the correct sync unless they steal my phone too.

Post Reply