Last week hackers took over the Twitter account of singer Mariah Carey and sent out sexually explicit messages to her 21.4 million followers that appeared to come from Carey. After several hours her Twitter account was secured. I reported to you in September aboutTwitter CEO Jack Dorsey’s own Twitter account was hacked. I have reported to you in the past about numerous celebrities whose Twitter accounts were hacked and almost always it was because they failed to use dual factor authentication. More and more companies such as Facebook, Instagram, Twitter, Google, Tumblr, Yahoo, WhatsApp and others use dual factor authentication which most commonly works such that when your password is used to access your account, a special code is sent to your smartphone that must be used in order to complete access to the account. This provides dramatically enhanced security. Whenever you are able to use dual factor authentication for a particular website, account or app, you should take advantage of this. Some dual factor authentication protocols do not require it to be used when you are accessing the account from the computer or smartphone that you usually use, but only if the request to access the account comes from a different device. Although we do not know if Mariah Carey’s account was protected by dual factor authentication, in the case of Jack Dorsey, he used dual factor authentication, however, it was able to be bypassed because the hackers gained access to his account by taking over his phone through SIM card swapping. SIM card swapping is a major problem. A Subscriber Identity Module, more commonly known as a SIM card, is an integrated circuit that stores information used to authenticate subscribers on mobile devices, such as a cell phone. The SIM card can be transferred between different devices, and often is, when people update into a newer cell phone. As more and more financial transactions, such as online banking, are now done through cell phones, identity thieves with access to their victims’ SIM cards are also increasingly becoming able to intercept security codes sent by text messages for online banking as part of dual factor authentication and thereby providing the identity thief with the opportunity to empty their victims’ bank accounts and cause other financial havoc.
Porting is the name for the crime where someone convinces your phone carrier to transfer your SIM card to a phone controlled by the criminal. They often do this by answering security questions after gathering information about you. To prevent someone from stealing access to your phone through porting, you should have a PIN added to your account so that no one can call your cell phone provider posing as you and ask to have your SIM card transferred. If Jack Dorsey had done this, his account would have been secure.
The first step to protecting your Twitter account from being hacked is to set up dual factor authentication. Here is the link to information about setting up dual factor authentication for your Twitter account. https://help.twitter.com/en/managing-your-account/two-factor-authentication
The best thing you can do to protect your SIM card from porting is to set up a PIN or password to be used for access to your mobile service provider account. This will help prevent a criminal from calling your carrier posing as you and convincing your mobile carrier to swap your SIM card to the criminal’s phone merely by providing personal identifying information or answering a security question.
AT&T will allow you to set up a passcode for your account that is different from the password that you use to log into your account online. Without this passcode, AT&T will not swap your SIM card. Here is a link with instructions as to how to set up the passcode. https://www.att.com/esupport/article.html#!/wireless/KM1051397?gsi=9bi24i
Verizon enables customers to set up a PIN or password to be used for purposes of authentication when they contact a call center. Here is a link with information and instructions for setting up a PIN with Verizon. https://www.verizonwireless.com/support/account-pin-faqs/
T-Mobile will allow you to set up a passcode that is different from the one you use to access your account online. This new passcode is used when changes to your account are attempted to be made such as swapping a SIM card. This code will not only protect you from criminals attempting to call T-Mobile and swap your SIM card, but will also prevent someone with a fake ID from making changes to your account at a T-Mobile store. Here is a link to information and instructions for adding a new passcode to your account. https://www.t-mobile.com/customers/secure
Sprint customers can establish a PIN that must be provided when doing a SIM swap, in addition to merely answering a security question, the answer to which may be able to be learned by a clever identity thief. Here is a link to information about adding a PIN to your Sprint account. https://www.sprint.com/en/support/solutions/account-and-billing/update-your-pin-and-security-questions-on-sprint-com.html
You also may want to consider protecting your dual factor authentication from being threatened by a SIM swap by using a dual factor authentication app such as Google Authenticator which is not tied to your cell phone. Here is a link with more information about Google Authenticator. https://support.google.com/accounts/answer/1066447?hl=en&ref_topic=2954345
If you are not a subscriber to Scamicide.com and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of http://www.scamicide.com and click on the tab that states “Sign up for this blog.”