In August 2017, the NJCCIC published Hackers Are Circumventing 2FA and Here's What You Can Do About It to alert members of emerging social engineering campaigns targeting mobile phone carriers. In these campaigns, hackers called the carriers and impersonated the targeted victim when speaking to customer service representatives. They would then try to convince the representatives to port the victim’s phone number to a new phone. If the scheme worked and the representative ported the number to a phone within the hacker’s possession, the hacker could then use it to circumvent SMS-based two-factor authentication (2FA) enabled on the targeted victim’s online accounts.
Even though mobile phone carriers do require account holders to verify their identities before making a change to their accounts, all that is typically needed is for account holders to provide the representative with the last four digits of their Social Security number or their mother’s maiden name – information that has likely already been exposed and obtained by hackers during any number of recent large-scale data breaches.
Initial victims of this scheme were active in cryptocurrency trading and their exchange accounts were targeted by profit-motivated hackers attempting to steal Bitcoin. However, as more and more people take advantage of SMS-based 2FA on email accounts, social media platforms, and financial accounts, porting scams are likely to increase as hackers attempt to circumvent this security control and gain unauthorized access to victims’ accounts. According to at least one news report, a family in Colorado recently fell victim to this scam and lost thousands of dollars as the hackers behind the attack gained access to all of their online accounts.
At the time we published the original blog post, not much could be done by the average mobile phone user beyond alerting carriers if they unexpectedly lost cell service. It was up to the phone carriers to tighten their security controls and educate their employees on social engineering scams and we encouraged our members to contact their mobile carriers and ask them to provide additional security for their accounts.
Fortunately, major US mobile phone carriers have recently implemented an additional security control that their customers can use to secure their accounts. In fact, one NJCCIC analyst received an SMS message from her carrier encouraging her to secure her account by adding a PIN after the company identified a widespread number porting scam.
The NJCCIC encourages all members to visit the appropriate link(s) below and follow the instructions to protect their mobile phone accounts from porting scams.
AT&T – Add or Remove Extra Security
T-Mobile – Protect against Phone Number Port-Out Scams
Verizon Wireless – Account PIN FAQs