T-Mobile hack and SIM-swap fraud: How to prevent your phone number from being stolen



SIM swapping is a serious trend you should know about.

Jason Cipriani/CNET

Just when you think the T-Mobile hack can’t get any worse, it does. On Friday, the carrier announced it discovered more customers were affected by the illegal breach. Adding to the seriousness of the hack, more information was accessed than previously thought. (You should take these steps right now to protect your financial information.)

Regardless if you’re a current or former customer, one concern about the hack is that it exposed account PINs. That’s the password that you’re asked to give to a T-Mobile employee before any changes can be made to your account. A bad actor who knows your account password can call into customer care and ask to have the SIM card linked to your phone number changed to a new SIM card, taking over your phone number. If you’ve moved on from T-Mobile to another carrier and reused the same passcode, you should change it immediately.

On the surface that may feel like it’s nothing more than an inconvenience, but once someone has access to your phone number, they can use it to impersonate you or log into your online accounts.

For example, Matthew Miller, a contributor to CNET’s sister site ZDNet, fell victim to a SIM-swap scam and he experienced the fallout for months afterward. Whoever took over Miller’s phone number gained access to his Gmail account, and promptly changed his password, then erased every email, deleted every file in his Google Drive account, and eventually deleted his Gmail account altogether.

Miller later discovered he was targeted because he had a Coinbase account and his bank account was linked to it. Miller’s phone received his Coinbase account’s two-factor authentication code, so the hackers were able to log into his cryptocurrency trading account and buy $25,000 worth of Bitcoin. Miller had to call his bank and report the transaction as fraud. That’s on top of the immense vulnerability he felt.One ill-gotten gain for someone who takes over your phone number is the instant access to any two-factor authentication codes you receive through text messages, the PIN that an institution texts you to verify that you are who you say. That means if they have your password, they’re just a few clicks away from logging into your email, bank or social media accounts.

And if someone gains access to your email account, they can change passwords and search through your email archive to build a list of your entire online presence. Take the time to move away from SMS 2FA codes and use app-based codes instead. Seriously.

To be clear, this isn’t an issue that’s specific to T-Mobile. All wireless carriers and customers can fall victim to SIM-swap fraud. Below are some tips to secure your wireless account.


It takes just a few minutes to add a critical layer of security to your account.

Screenshot by Jason Cipriani/CNET

What can you do to prevent SIM swapping on your account?

You can decrease your chances of someone gaining access to and taking over your phone number by adding a PIN code or password to your wireless account. T-Mobile, Verizon and AT&T all offer the ability to add a PIN code.

If you’re unsure if you have a PIN code or need to set one up, here’s what you need to do for each of the major US carriers.

  • AT&T: Go to your account profile, sign in, then click Sign-in info. Select your wireless account if you have multiple AT&T accounts, then go to Manage extra security under the Wireless passcode section. Make your changes, then enter your password when prompted to save.
  • T-Mobile: Set up T-Mobile’s Account Takeover Protection service. You need to add the feature to each individual line on your account. I also suggest changing your account PIN (if you’re not asked to while setting up Account Takeover Protection).
  • Verizon Wireless: Call *611 and ask for a Port Freeze on your account, and visit this webpage to learn more about enabling Enhanced Authentication on your account.

If your phone loses service, call customer care right away.

Juan Garzon/CNET

If you have service through a different carrier, call their customer service number to ask how you can protect your account. Most likely, you’ll be asked to create a PIN or passcode.

When creating a PIN or passcode, keep in mind that if someone has enough information to fake that they’re actually you, using a birthday, anniversary or address as the PIN code isn’t going to cut it. Instead, create a unique passcode for your carrier and then store it in your password manager. You are using a password manager, right?

How do you know if your SIM has been swapped?

The easiest way to tell if your SIM card is no longer active is if you completely lose service on your phone. You may receive a text message stating the SIM card for your number has been changed, and to call customer service if you didn’t make the change. But with your SIM card no longer active, you won’t be able to place a call from your phone — not even to customer service (more on this below).

In short, the quickest way to tell if you’ve been affected is if your phone completely loses service and you can’t send or receive text messages or phone calls.


There are some steps you can take should you happen to be a victim of SIM-swap fraud.

Juan Garzon/CNET

What should you do if you find yourself a victim of SIM-swap fraud?

The truth is, if someone wants access to your phone number badly enough, they will do all they can to trick your carrier’s support representative. What we’ve outlined above are best practices, but they’re not foolproof.

Researchers were able to pose as account holders who had forgotten their PIN or passcodes, oftentimes providing recent outgoing calls from the target phone number, called by the actual account holder. How do they know those numbers? They tricked the account holder into calling. Even scarier, sometimes the researchers were able to provide phone numbers for incoming calls to the account they want to take over. Meaning the bad guy simply needed to call the target’s phone number themselves.

Once you realize you’ve lost service on your mobile device, call your carrier immediately and let them know you didn’t make the changes. The carrier will help you recover access to your phone number. I can’t emphasize this enough — do not wait to call. The longer someone has access to your phone number, the more damage they can do.

Here are the customer service numbers for each major carrier. Put your carrier’s number in your phone as a contact:

  • AT&T: 1-800-331-0500
  • T-Mobile: 1-800-937-8997
  • Verizon: 1-800-922-0204

Once someone gains access to your phone number, they’ll have access to most of your online accounts.

James Martin/CNET

With your SIM card deactivated, you won’t be able to call from your phone, but at least you’ll have the number handy to use on someone else’s device.

You’ll also want to reach out to your banks and credit card companies, and double-check all of your online accounts to make sure that the perpetrator hasn’t changed your passwords or made any fraudulent transactions. If you find transactions that aren’t yours, call your bank or visit a branch right away and explain the situation.

Remember, no matter how many PIN codes or passwords we add to our online accounts, there’s still a chance that someone will find a way to break in. But at least by setting a passcode for your account, and knowing what to do if you find yourself a victim of SIM swapping, you’re prepared.

Another critical aspect of strong online security is to use a password manager to create and store unique passwords on your behalf. Additionally, enable two-factor authentication on every account that offers it. And make sure you’re not falling for robocalls or scammy text messages.


Source link