Criminal hackers have been targeting Instagram users with short or unique usernames, as well as people who own Bitcoin. To steal the victim’s accounts or cryptocurrencies, the hackers first seize the cell phone numbers of targets, which gives them the ability to reset passwords on any account linked to a given number.
This kind of hack is what’s called a port out scam—an expression derived from the concept of porting a number from one carrier to another—and is also known as SIM swapping or hijacking. One hacker who used to SIM swap told me it happens “all the time,” despite telecom providers having known about this attack method for years. According to T-Mobile, hundreds of people have been hit by this scam. In the last few months, Motherboard has spoken to more than 30 victims who have gotten their numbers stolen. In addition to her Instagram handle, one SIM hijacking victim I spoke to got her Amazon, Ebay, Paypal, Netflix, and Hulu accounts hacked as a result.
Videos by VICE
“Our phones are our greatest vulnerability,” she told me.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv
So, what can you do to protect yourself?
Ultimately, this hack relies on scammers tricking carrier’s tech support, and if the company’s representatives take the bait, it’s important to remember that there’s only so much you can do. The good news is you can make it considerably harder for hackers to steal your phone number. And, even more importantly, you can take steps to mitigate the damage in case they are able to steal it anyway.
Here’s how.
HARDEN YOUR ACCOUNT
In light of increasing attacks against customer’s accounts, the major US cell phone providers have introduced new security features to make it harder for hackers to take over accounts and telephone numbers.
AT&T allows customers to add a passcode to their accounts. This is a credential that’s separate from the password customers use to log into their accounts online. This passcode will be required to make significant changes to the account, such as porting the number to a different SIM card. Here’s a detailed step-by-step from AT&T on how to turn on this feature.
Verizon says it now requires every customer to have a PIN or password as a “primary authentication” method when they reach out to a call center. This PIN is similar to the passcode that AT&T customers can set up, as it’s used when communicating with Verizon tech support and provides an extra layer of security.
Last year, T-Mobile started offering a “port validation feature” to protect against these hacks. This is essentially a passcode, separate from the usual password to access the online account, that is required whenever someone tries to make changes to the account, such as getting a new SIM card. Ask a T-Mobile representative to add this code to your account. This can protect you from a hacker who may pretend to be you on the phone, or from a scammer attempting to use a fake ID at a T-Mobile store, as they should still be required to provide the code.
Sprint also offers customers a separate PIN that needs to provided when doing a SIM swap, in addition to the option of answering a security question instead.
We advise calling your provider directly and telling them that you’re worried about criminals taking over your phone number, and asking for all the extra security measures you can take to protect your account.
DON’T LINK YOUR NUMBER TO YOUR ONLINE ACCOUNTS
Once hackers steal your phone number, they leverage it to reset the password on any online account that’s linked to the number. In many cases, this bypasses two-factor authentication. That’s why having control of a phone number is so powerful.
If possible, you should remove your phone number from any account that could interest hackers. You can still link a type of phone number to those accounts, but we suggest using a VoIP number, such as a Google Voice number, that is SIM hijack-proof. Of course, you must protect this number as well, using a unique password, two-factor authentication on the account, and making sure it doesn’t expire if you don’t use it regularly.
To remove your phone from your Gmail account, go to myaccount.google.com, log in (if necessary), and then click on Personal Info & Privacy and Personal Info. If you have your number there, remove it. Also be sure you don’t have a phone number listed under Account Recovery Options. Instead, add an authentication app like Google Authenticator as two-factor.
If you really want to have a number there, we suggest creating a new Google Voice number—from a different, ideally ad hoc Gmail account—and use that number. Note that Google Voice is only available in the United States, so anywhere else and you will have to try a different VoIP service. (Pro tip: always create and save recovery codes when you turn on two-factor.)
To remove your phone from your Microsoft account, go to account.live.com, navigate to Security, and then click on Update Info under Update Your Security Info. If you have a phone number there, remove it, unless it’s a Google Voice or another VoIP number.
If you use an Apple device, go to appleid.apple.com, log in, then click on Edit next to the Security section. Add your Google Voice or VoIP number as Trusted Phone Number and then remove your regular phone number if you had it there. For iMessage and FaceTime you’ll still need to provide your actual cell phone number, but you can use a different one as a Trusted Phone Number.
On Twitter, click your avatar, go to Settings and Privacy, and navigate to Mobile on the right hand menu. If you have two-factor enabled, you’ll need to provide a number. For this reason, we suggest you provide a VoIP or Google Voice number so that hackers can’t SIM swap it. It’s also possible to just use an authenticator app or security key and remove your phone number from Twitter altogether.
The situation is similar for Instagram: From the mobile app, click on your avatar, then Edit Profile and change your number to a VoIP or Google Voice number. Unlike Twitter though, it’s not possible to remove your phone number altogether from Instagram without turning off two-factor.
For Facebook, select Settings under the drop-down arrow at the top right. First, click on Mobile in the right-side menu, and remove your phone number. Now add your Google Voice or other VoIP number. Then navigate to Security and Login (also on the right-side menu), click on Edit in the Use Two-Factor Authentication option, and make sure your new VoIP or Google Voice number is there.
Finally, for Amazon, click on Accounts and Lists, then Your Account. Then click on Login & Security, input your password, and check if you have your number listed there. If you do, you know the drill: swap it for your VoIP or Google Voice number.
We suggest you do the same for Paypal, eBay, Netflix, and similar other accounts, plus your bank of choice.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.