Mobile Account Hijacking

The cyber criminal element has once again come up with creative ways to gain access to your online accounts and steal your data. An attack vector that is gaining popularity is called "Mobile Account Hijacking". The attacker will call your cellular phone service provider and pretend to be the account owner(you). Once in contact with your cellular provider they have your phone number transferred to a device that the attacker has control of. Once the mobile number is transferred, the attacker will then go online and begin resetting accounts that allow you to reset passwords via a registered phone number. Once the password is reset, the attacker then has access to those accounts. Luckily there are some easy steps you can take to protect yourself. 

One of the most important steps is to establish a password or PIN that is required before making changes to your mobile account. Each of the major carriers offers this feature to their customers in a slightly different way.

AT&T offers a feature they refer to as “extra security.” Once activated, any interaction with AT&T, whether online, via phone, or in a retail store will require that you provide your passcode. You can use your AT&T online account or the myAT&T app on your mobile phone to turn on extra security. Note, that when you login online with your passcode, you may be presented with the option to not be asked for it again. Do not accept this option or you will disable extra security.

Sprint requires customers to set a PIN and security questions when they establish service with Sprint, so no additional steps are needed to use this feature.

T-Mobile allows their customers to establish a customer care password on their accounts(link is external). Once established, customers are required to provide this password when contacting T-Mobile by phone. To establish such a password, customers can call T-Mobile customer service or visit a T-Mobile retail store.

Verizon allows their customers to set an account PIN. Customers can do this by editing their profile in their online account, calling customer service, or visiting a Verizon retail store. This PIN provides additional security for telephone transactions and certain other transactions.

Using this extra password or PIN is a good idea and should help reduce your risk of mobile account takeovers. However, it does not offer complete protection, so make sure you remain alert for phishing attacks, protect your financial account information, and examine your mobile phone and credit card bills carefully every month for signs of fraud. If your phone stops receiving a signal and says “emergency calls only” or “no network,” even after you restart your phone, contact your mobile carrier to see whether your account has been hijacked.

For more information, please click here.