How to protect yourself from SIM swap scams
Some carriers only allow in-store changes
In some cases, a business may restrict customer accounts, so changes can only be made in the store with government-issued ID, says Kevin Lee, who is pursuing a doctorate in computer science and is co -author of the Princeton report.
T-Mobile says its account holders must choose a 6- to 15-digit PIN code and that a customer’s phone number cannot be transferred without verification of that PIN. T-Mobile also offers what it calls Account Takeover Protection, which adds additional security to accounts by preventing unauthorized users from transferring your lines to another wireless carrier. AT&T also allows you to create a unique access code that you will need to provide before account changes can be made, including port requests initiated by another operator.
Cash App, which is owned by Square Inc. and not a bank, recently launched an artificial intelligence-based feature that it says flags potential spam or scams for in-app payments.
But you can take steps as a wise consumer to minimize the risk. Here’s what the experts suggest.
Do not give out personal information
â¢ Do not answer calls, emails or text messages who request personal information. If you receive such a request for an account or personal information, contact the company directly on your own, using a phone number or website that you know to be genuine.
â¢ Use multi-factor authentication. As stated earlier, two-factor authentication, 2FA for short, will be useless if the code to verify your identity arrives on the scammer’s phone and they already know your password.
But “a gut reaction may be to turn 2FA off altogether, and it’s actually even more dangerous,” says Lee. Enabling this extra layer of security “just adds to the username and password requirements, potentially making it harder for attackers to hijack.” At the end of the day, it’s always better than nothing.
David Strom of digital security company Avast is among the experts who recommend switching your second factor of SMS authentication to an authenticator app like Authy or Google Authenticator. He also mentions Zenkey, a mobile application available on Google Play Store and Apple App Store, resulting from a collaboration between AT&T, T-Mobile and Verizon. You will need to obtain the Zenkey version linked to your specific mobile operator.
Protect your phone and SIM card
â¢ Protect the physical device. That means using the facial recognition or fingerprint scanning options common in today’s smartphones, Velasquez says, with a PIN code.
â¢ Protect the physical SIM card. You can lock your SIM card with a numeric PIN code that you will need to enter each time you restart a device or remove a SIM card. You can create such a PIN code in the settings of your iPhone or Android device.
â¢ Be careful what you post online. This usually means avoiding the kind of information often prompted by security questions, including birthdates, your pet’s name, your best friend’s first name, and the high school mascot.
â¢ Keep your email inbox clean.Erase messages that don’t need to be there, including those with access codes, PINs, social security numbers, and billing statements that may reveal some or all of these details if your device is hacked.
Share a landline number and not a mobile
â¢ Do not share your mobile number too much. AT&T recommends using your landline when sharing a number with a dry cleaner, grocery store, or other businesses. Unless you have a business reason to do otherwise, do not include your number on social media or in your email signature.
You can also get a free phone number to give to businesses or acquaintances that you don’t want to have access to your real number, and it will ring on your phone. This âburnerâ number is something that can protect your privacy and is easily disposable if you want another one later.
â¢ Report suspicious activity. If you notice anything unusual, immediately contact your mobile operator, bank, and credit card company and make sure your account credentials have not been changed. You may want to file an identity theft report with the Federal Trade Commission.
In its letter to Thomas acknowledging that his phone had been compromised, T-Mobile offered further sound advice: consider placing a fraud alert with one of the three major credit bureaus – Equifax, Experian or TransUnion – which signals creditors to contact you before opening a new account in your name.