Phone Number Get Stolen?

Someone I know recently had their T-Mobile phone number stolen from them. A thief walked into a Metro PCS store and had it ported away. Once the number had been transferred they started calling this person’s financial institutions attempting to access the accounts. Luckily these institutions have sophisticated security controls and social engineering training in place and these attempts were intercepted. They resulted in a massively inconvenient lockdown of their financial life, but it’s much better than the alternative – a successful heist of everything.

With this in mind I whipped together my top thoughts on what can be done to prevent specifically this type of incident from occurring to you, and to detect and respond to it if it does happen.

  1. Don’t use your direct cell number for anything. I run mine through Google Voice.
  2. Don’t use SMS as a 2nd factor for anything if you can help it.
  3. Secure things (e.g. Google/GVoice account) with FIDO/U2F dongles or smart cards.
  4. Email is also not a valid 2nd factor.
  5. Call your cell carriers and work with them to place whatever porting locks and verbal passcodes you can on your accounts.
  6. Call your banks and determine what other protections you can put in place.
  7. Routinely audit all financial accounts for irregularities (I do it twice a month.)
  8. Don’t re-use passwords (duh) but also don’t re-use “security questions” like “What City Were You Born In?” between websites. I make unique ones and put them in a password manager.
  9. Don’t trust online password managers.
  10. Don’t trust online file storage – make offline backups regularly.
  11. Run anti-malware. I run a duo of Windows Defender and Cylance. We do not live in a post-AV world. It’s a no-brainer level of defense.
  12. Don’t click random bullshit or open random bullshit in email.
  13. Run a decent anti-spam and anti-phishing platform between the net and your mailbox. It’s worth it.
  14. Log out of shit when you’re done with it.
  15. Credit monitoring isn’t totally baloney. Take advantage of the inevitable free year of monitoring you’ll get from a company for the breach du jour, provided you’ve reviewed the terms and conditions of accepting it, of course.
    1. Don’t give up your right to sue unless you’re sure of what you’re doing. I am not a lawyer, but I always recommend consulting with one if you’re not sure.

Tl;dr be proactive to avoid being pwned, and have a plan for *when* you do get pwned because in the world of {$CURRENT.YEAR} you will get pwned eventually.