Most people’s social media accounts are hacked because they forget to set up dual-factor authentication or update their passwords every now and then. But in the case of Jack Dorsey, Twitter CEO, he had his password and login procedure up to date. So how did it end up that over Labor Day weekend, his account was taken over and a string of racist tweets were sent out? Because Dorsey was the victim of a SIM swapping scam.
This is not the first time Better Business Bureau Northwest + Pacific has heard about SIM swapping. SIM swapping is when a hacker transfers your personal cellphone number onto his/her own device through a process called “porting.”
The scenario often looks like this: Your cellphone carrier gets a call from a hacker pretending to be you. The hacker more than likely already has information on you, such as your birthday and mother’s maiden name from a quick search on Facebook, which they are easily able to decipher and bypass the passwords or security questions asked by your cellphone provider.
Once a hacker seizes this, he can use your cellphone number as a master key to all related accounts such as Netflix, Amazon, Instagram and, of course, mobile banking, since our cellphone numbers are associated with almost every facet of our online identity.
In the case of Twitter’s Dorsey, hackers got access to his phone number so that all incoming calls, texts or verification codes would be sent to the scammer, not Dorsey. Using Twitter’s “text to tweet” feature, they were then able to send out tweets without actually needing to login to the Twitter app itself.
Because our phone numbers are associated with many of our online accounts, a successful SIM swapping can wreak havoc on the average consumer or small business owner. For instance, a hacker with your phone number can then attempt to login to your social media accounts and change everything. Typically, hackers target Instagram users with short, unique usernames. Why? Because if they can take over that account, they can sell your username for bitcoin on the dark web.
What’s particularly scary about this scam is that consumers and business owners may not know right away their phone number has been compromised. The good news is, cellphone carriers are aware of this growing issue and are setting up protocols to better protect consumers.
BBB NW+P recommends these tips:
— Ask your cell phone carrier if they offer a “port validation feature.”
— Make sure you already have passwords or security codes set up with your cell phone carrier that is required to access any information about your account.
— Don’t use password saving functions or keychains, especially for important accounts (banking).
— Wherever you can, remove your phone number from your online account. If a phone number is required, consider setting up and using a Google Voice number.
— If your phone is stolen or lost, call your cell phone carrier immediately to deactivate your SIM card.