How to protect your investment (and other) online accounts from the phone porting scam
In part 1 of this article, we talked about how hackers are stealing millions of dollars from investors and consumers using just a phone number. In part 2 of this article, we'll talk about how you can protect yourself from this new scam. Doing the two-step The 1st step is to harden your cell phone account at the phone company to make it harder for the casual hacker to steal your phone number. You do this by placing restrictions on your account that theoretically prevent the hijacking from happening. In an ideal world, this would be enough. Unfortunately, the customer service reps don't always correctly honor the restrictions, and many people have still been vandalized despite this. So while it's a good 1st step, it's not enough. The 2nd step is to harden your sensitive online accounts (email, financial, social media, storage etc.). There are 2 ways to do this, with the more difficult one being the more effective. "Harden your heart" First, you need to harden the cell phone account at the phone company. As I mentioned, this is not foolproof, because customer service reps don't reliably honor these. However, they are really good 1st step to stop a casual hacker. A security advisory at Kraken recommends the following:
Set a passcode/PIN on your account
Make sure it applies to ALL account changes, all numbers on the account.
Ask them what happens if you forget the passcode, and then ask them what happens if you lose that information too. This will let you know what you're up against.
Institute a port freeze
Institute a SIM lock
Add a high-risk flag
Close your online web-based management account
Block future registration to online management system
Attempt to hack yourself and see what information they will leak to you and what account changes you can make.
Protecting your online accounts After this, it's time to harden all your sensitive online accounts. This is not only your email and financial accounts, but also your social media and storage. Basically, if you don't want someone to have access to it, you need to protect it. Experts recommend 2 different ways to do this. One recommendation is to create a 2nd email account that you use only for your sensitive accounts. This has the advantage of being pretty easy to implement. However, at least as far as I can see, it doesn't work 100%. On some sites, the hacker only needs to know your username and have control of your cell phone number to change your password and take control. So from my point of view, I'm not seeing how this really helps. A 2nd recommendation is to create a Google voice account that you use as the phone number for all your sensitive accounts. Google voice does not allow porting (unless you change the setting, which you simply just don't do). So this method safeguards all of your sensitive accounts from being hijacked by porting. The downside is that it's painful. To do it right, you have to 1st set up a standalone Google email account. Then you have to set up a Google voice account. You don't want to forward this to your normal cell phone, because it will undo the point of all the protection (i.e. someone who steals your cell phone will still have access). it took me about an hour to just set up these accounts the 1st time, because it isn't straightforward. Then it's a bit of a pain to use. If you are relying on text messages from your bank for instance because you will have to remember to check the separate Google voice account. Also, if you need to call the institution from the phone number on record for some reason, it's more of a pain because you have to do it through Google voice. And if you have lots of individual accounts, it might take you a couple of days to finish the entire switch-over process. However, it's a lot better than the alternative of leaving yourself open to being hacked. What accounts do I need to protect? Anything that's important or sensitive. For example:
Email accounts (Gmail, Hotmail, Outlook 360, etc.)
Financial accounts (Banks, mutual funds, brokerage, investments, etc.)
Information storage accounts (Dropbox, iCloud, Google drive, etc.).
Social media accounts ( Facebook, Instagram, LinkedIn, etc.)
Where to get more info? The Kraken security advisory, step 3 option B has a step-by-step walk-through with pictures on how to set up a Google voice account.
As I mentioned earlier, will 1st need to set up a separate, hardened Google email account, which you can set up using the same process the author describes. (Maybe there's a way to set up the Google voice without the email, but I can't find a way to do it). Also, this article on Forbes gives a high level of explanation of how to fix the problem, and explains option one for those who wish to go that route. Freeze It Update 2018-07-06: unfortunately there is yet another new cell phone related scam that requires a different fix. In this one, the crooks steal your identity by opening up a brand-new cell phone account that you don't know about. They use this to run up bills and engage in criminal activity, etc. And this one is really bad because you as a consumer have little or no protection because it's done through a cell phone account. To stop it, you'll want to do a freeze on the National Consumer Telecommunications and Utilities Exchange (NCTUE).
"There are three ways to freeze your NCTUE information: online; by telephone (866-349-5355); and by mail (NCTUE Security Freeze, P.O. Box 105561, Atlanta, GA 30348). You can also opt out of data collection or set up NCTUE fraud alerts here.
Currently, there is no charge to freeze and unfreeze an NCTUE credit file. Make sure to have a pen and paper on hand because you will be given a PIN. Keep this in a safe place in case you need to change your preferences in the future, such as if you are changing a cell-phone, cable, gas, or electric utilities provider.
But NCTUE is just one of dozens of smaller credit reporting agencies that tailor data collection for myriad industries including landlords, subprime lenders, and other companies that subscribe to these services.
“We recommend consumers freeze their credit at the major credit bureaus, and where possible, at these smaller, less well-known companies as well,” says Anna Laitin, director of financial policy at Consumers Union, the advocacy "