Posted by Chuck on February 13, 2018
Current Frequent Flyer Sign Up Bonuses

Published on February 13th, 2018 | by Chuck

52

Securing my Mobile Phone and Email Address in a Data-Breached World

Introduction

After the Equifax breach and so many others, it’s best to operate under the assumption that our most sensitive information is out there somewhere in the wrong hands. It’s high time to secure our mobile phones and email addresses.

As bad as it is that our personal data can fall prey to hackers, there are typically multiple levels of validation for important transactions, and hopefully those will stop the bad guys from doing serious damage. We typically think of a bank account as the most valuable asset; in fact, many large bank transactions have safeguards against abuse, such as email or text validation.

Everything depends on your phone/email, however, and if those are weak everything is at risk. Conversely, if your phone and email are secure, even if hackers would somehow get hold of your bank, the results may not be as devastating as we would imagine.

Lock Down your Mobile Phone

First you’ll definitely want to enable a password/touch-ID on your phone. I think most people do that. In the event the phone is lost, it’ll be hard for anyone to get in there, and in the meantime you can hopefully freeze the device or the phone line.

Beyond that, there are two key vulnerabilities to the standard SMS text message:

  1. The porting issue (a.k.a. sim swap) where a hacker can port out your number to themselves and proceed to reset all your passwords using the SMS reset option.
  2. Sophisticated hackers might be able to intercept your text messages even without taking over the phone.

Not sure if there’s anything to do about the second issue, but regarding the first issue it’s important to lock down your phone’s porting feature to ensure that can’t happen. Most major carriers have some sort of PIN or passcode needed in order to port out a number. It’s also important to verify that there aren’t other ways for hackers to port without the PIN.

  • Every AT&T account has a PIN/passcode of 4-8 digits which is needed to port a number. Were you to ‘forget’ your passcode you can change it in the online login by inputting the last 4 of your SSN and your zip code. So a hacker would need your ATT online credentials + SSN + zip to port your number.
  • T-Mobile Milesperday did a post on this recently which inspired this post. It seems with T-Mobile that by default there is no PIN, but you can set one up. I don’t know exactly what’s needed to change the PIN, at the very least they’d need your T-Mobile password.
  • Every Sprint account has a 6-10 digit PIN number which is presumably needed to port a number. They also have a security answer which can be used to reset the PIN. It’s worth making that answer difficult so that it’s not easy for a hacker to guess it. And again, you’ll want to ensure your email is secure since that’s another reset option.
  • Every Verizon account has a 4 digit PIN number which is presumably needed to port a number.

Apparently, T-Mobile is the only one that doesn’t have a PIN by default. Seems like some MVNO’s also have insecure porting systems.

A crucial question still remains: how easy it is to switch the PIN using the ‘forgot PIN’ option over the phone? To do so online would require knowledge of your login password, but what about over the phone or in a store?

Some carriers might allow resetting the PIN with the billing address as this story indicates regarding Verizon It’s entirely possible they don’t allow that anymore. I looked into AT&T specifically, and was told that absent the PIN/passcode, text or email validation would be necessary to port the number over the phone or in a store. So if you don’t lose your phone and your logins are secured, it would be hard to hack. Let us know if you have information on other carriers.

Regardless, hackers usually go for the point of least resistance, and if some mobile phones don’t have PINs at all, they’ll try doing the sim swap there first. It’s also worth using a more secure login password on your carrier’s website to avoid having a porting issue with a hacked login password.

Lock Down your Email

You’ve probably heard of 2 Factor Authentication, or 2FA. Lots of online account offer a 2FA option, and it’s vital to do so on your email address at a minimum since that’s the reset link to your whole digital life. Yes, it’s a pain in the neck, especially for someone like me who juggles multiple email logins. Just realize most people don’t login into their email too often since it’s saved in the browser or phone; 2FA only kicks in when you’re logging in with a password.

There are two methods of 2 Factor Authentication:

  1. The standard method whereby your email provider like Gmail will send you a code via text message to input during login.
  2. Another option is to use an authenticator app on your mobile phone to verify during login. Google offers an Authenticator app as well as a prompt option which can be a bit easier. They also offer backup codes you can print out and save for a scenario where you don’t have your phone. Others recommend using a separate authenticator app called Authy.

In terms of convenience, the SMS option might be a bit simpler in some sense, yet from a security standpoint the authenticator options are superior since phones can be ported or intercepted. If you have your phone locked down with a PIN, as discussed above, the SMS option should be fairly secure, though there’s still the possibility of interception by a sophisticated hacker.

You’ll find many other online accounts offering a 2FA option. On my AT&T online login there’s an option to require your account PIN during login, somewhat similar to the conventional 2FA system.

Final Thoughts

Far from being a security expert, I have done a bit of research about how to protect myself, and it’s well worth looking into your own electronic vulnerabilities too. Email addresses and mobile phones are key entry points everyone needs to secure. There could be additional things you should be safeguarding as well, like your computer login or Dropbox account.

You can read many hacker stories online if you need more motivation. Check out this guy who literally watched himself get swindled out of $8,000 in cryptos. Other stories here and here.

Hopefully there’ll be some security experts who will chime in below if there are any inaccuracies in this post or other important things to know.

 



52
Leave a Reply

avatar
 

  Subscribe  
newest oldest
Notify of

Don’t forget about case of lost/stolen phone.
You need to set password on it, so noone get access to your e-mails notes and other confidential information. And block sim as soon as you notice that phone is missing. Remote erase is also valuable feature in this case.

Good point. Now I always have a password set on my laptop, tablet, and iPhone when I travel. Some stolen devices with passwords can still be hacked even with a password, but it will delay any potential data breaches and give some time to notify banks, etc….and change PINs and passwords.

You can also set sim card PIN..
Here are instructions for AT&T https://www.att.com/esupport/article.html#!/wireless/KM1000485

SIM PIN only blocks calls and mobile data, a thief can still turn on the phone, connect to some wifi, and get the data.

If I’m on a MVNO that’s on the Verizon network, how do I check or set my 4 digit pin?

Check with that MVNO because the MVNO is the one to give you an account# and pin, not the network.

Thank you for making this. Definitely needed. Cheers!

This is a good place to share stories about breaches. I have had several breaches in the last several years. Last year my paypal account was breached when I was traveling outside the US. I believe my Paypal password was breached through an unsecured Wifi connection while traveling in Argentina.

Paypal sent me an email and I talked with a security expert at Paypal. He explained that hackers try to find Paypal accounts that have not been used recently and transfer money out. He said Paypal detected logins into my Paypal account from France and a couple other countries outside the US.

Wow. Seriously? what’s the point of the whole encryption song and dance it’d they can breach your password.

His password was sent in plain-text over an unencrypted network. That’s an oops, but not Paypal’s.

I honestly do not know how my Paypal password was compromised. The Paypal expert speculated that it was compromised through an Wifi connection like WEP. Remember that WEP Wifi is not secure and can be easily cracked. WPA is more secure than WEP but it is not 100% secure. There have been many cases of WEP and WPA Wifi networks compromised unfortunately. WPA2 is considered more secure than WPA, but still it can be hacked by a device connected into the WPA2 Wifi network.

If I could edit my original message, I would word it differently and re-phrase “I believe my Paypal was compromised through a unsecured Wifi connection” to a “possible breach through a Wifi connection” that may have had WEP or WPA encryption.

If you talk with security experts now, they will tell you that hackers have the upperhand in hacking vs. security at this point in time. It is a cat and mouse game with hackers improving their skills and tools, and the security industry scrambling to send out patches as quickly as possible.

Google “Meltdown and Spectre” for examples of potential breach vectors.

Consider using Authy instead of Google’s Authenticator app for 2FA. There is no way to back up your Google Auth app info so if you lose your phone or have to reset it, etc youll be unable to access any of your accounts that have two factor enabled.

I look forward to people discussing various aspects of Google Authenticator vs Authy and maybe recommending other apps also (I know physical keys like Yubikey are more secure). I’m primarily interested in the security aspect, I don’t mind the inconvenience of using a one-time key when swapping phone.

It seems Authy has a setting for multi devise support, handy at transferring phones but also a hacking hole. G Authenticator has a digital key (string of numbers and letters) that you can use as a one-time login, similar to Gmail.

Not smart phone security related but ID theft related. Always use the gas pump facing the attendant. Those are the ones least likely to have skimmers.

T-mobile sent out a text about an industry-wide phoen number port out scam and sent out instructions via text.

Just went and switched my current AT&T password which was a general one I use on low priority sites to a full-strength one.

*your Congress person is a whoree

Some MVNOs (such as Airvoice) use the last four of the phone number as the PIN when porting to other carriers. I personally had the experience of porting my number from Airvoice to Verizon, and all Verizon really needed was the full phone number and the last four of the phone number (not very hard), serving as the PIN. Pretty insecure, I’d say.

Useful and timely guide Chuck, especially with so many stories of Tmobile customers being defrauded via sim swap. I’m no security expert but here’s some other things I’d stress based on my understanding of occasionally reading up on these things:

SMS – I think it’s worth stressing to never use SMS as two factor authentication unless that is the only option (looking at you Twitter), it’s a huge security hole, especially on your main email account. People using Gmail as their main email address, don’t put it off, go disable SMS as 2FA right now if you haven’t. Before doing that though make sure to have the one-time backup keys and also an actual 2FA, like G auth, Authy or physical key. Do same elsewhere if you have the option to.

Password managers – Must have, can use across devices including mobile, convenient and more secure than your methods of using a base word and adding others to make unique passwords. Some of them store the data on the cloud, some on your computer, some both. 1Password and LastPass are very popular, there’s many others. Make sure your master password is pretty strong but something you can remember. Same principle of locking down your pass manager with 2FA like your main email (all email addresses you use for that matter).

Updates – Keep apps up to date (same on your computer) as often app vulnerabilities is what gets exploited in mass intrusions, set them to autoupdate over wifi, be careful with installing 3rd party apps from non official sites (though even official ones have at time housed compromised apps).

Encryption – If your phone isn’t encrypted by default (most should be nowadays), make sure to turn it on. I’d also recommend it on other devices, including computers, though you might have to upgrade or get 3rd party apps on computers.

VPN – Use them both on your computer and your phone, must have if you’re gonna use open/public wi-fi, I’d use them everywhere other than at your place or you SO’s.

What other things would others add re best & reasonable practices?

Here’s a useful security guide that gets updated with relevant info, aptly named The guide to not getting hacked, from Vice/Motherboard: https://motherboard.vice.com/en_us/article/d3devm/motherboard-guide-to-not-getting-hacked-online-safety-guide

RED BIRD FOR LIFE!

I’m not sure what people here do and feel about using security apps on phones. I often see people say assuming best practices are in place, they’re useless and just drain your battery. Yet I see some guides (like the one I posted on the long comment) still recommend using them.

What do you mean by security app on phones?
Thanks for the comment above btw.

Antivirus/antimalware type apps, similar to what we use on computers.

If I knew how to contact you privately, I would. Thank you for this valuable info, but shouldn’t comments like #560245 from “Credit” be removed? Really, he’s obnoxious and destructive.

Thanks for the great post Chuck.

I didn’t realize that a mobile number could be breached so easily (swap sim & porting). We should all be extra cautious on these weak spots in the chain.

For the love of God you MUST use a VPN while using unsecured wifi networks. Also don’t use Google Authenticator because if you lose your phone you’re screwed. Authy backs up your account online via user/pass so don’t forget that.

cricket… cricket…

thats what im hearing. ur preaching to the choir here.

I agree with you Ken. Unfortunately humans are not perfect and sometimes make mistakes.

Unfortunately some vpn don’t connect on all WiFi networks. To top that some banks and other sites don’t allow connections from know VPN providers. It’s almost useless to always switch it on and off.

Back to Top ↑