Some carriers allow only in-store changes
In some instances, a company may restrict customer accounts so changes can only be made in the store with a government-issued ID, says Kevin Lee, who is pursuing a doctorate in computer science and is co-author of the Princeton report.
T-Mobile says its account holders must choose a 6-to-15-digit PIN, and that a customer’s phone number cannot be ported without verification of that PIN. T-Mobile also offers what it calls Account Takeover Protection, which adds additional security to accounts by blocking unauthorized users from transferring your lines to another wireless carrier. AT&T similarly lets you create a unique passcode you’ll have to provide before account changes can be made, including port requests initiated by another carrier.
Cash App, which is owned by Square Inc. and not a bank, recently unleashed an artificial intelligence-driven feature that it says flags potential spam or scams for payments in the app.
But you can take steps as a smart consumer to minimize the risk. Here’s what experts suggest.
Don’t give out personal info
• Don’t reply to calls, emails or texts that request personal information. If you get such a request for account or personal information, contact the company directly on your own, using a phone number or website you know to be genuine.
• Use multi-factor authentication. As previously noted, two-factor authentication, 2FA for short, will be useless if the code to verify your identity arrives on the crook’s phone and he already knows your passcode.
But “a knee-jerk reaction may be to turn off 2FA altogether, and that is actually even more dangerous,” Lee says. Enabling this extra layer of security “only adds to the username and password requirements, potentially making it tougher for attackers to hijack. At the end of the day, it’s still better than nothing.”
David Strom of the Avast digital security firm is among the experts who recommends switching your second authentication factor from SMS texting to an authenticator app such as Authy or Google Authenticator. He also points to Zenkey, a mobile app available in the Google Play Store and Apple App Store, resulting from a collaboration among AT&T, T-Mobile and Verizon. You’ll need to get the Zenkey version tied to your specific mobile provider.
Protect your phone and SIM
• Protect the physical device. That means using the facial recognition or fingerprint scanning options common in smartphones today, Velasquez says, along with a PIN.
• Protect the physical SIM. You can lock your SIM with a numerical PIN you would have to enter every time you restart a device or remove a SIM. You can create such a PIN inside the settings on your iPhone or Android device.
• Be careful what you post online. This generally means avoiding the kind of information often prompted by security questions, including birthdates, the name of your pet, your best friend’s first name and high school mascot.
• Keep your email inbox clean. Wipe out the messages that don’t need to be there, including any with passcodes, PINs, Social Security numbers, and billing statements that may reveal some or all of these details if your device is ever hacked.
Share landline, not mobile number
• Don’t overshare your mobile number. AT&T recommends using your landline when sharing a number with a dry cleaner, grocery store or other businesses. Unless you have business reasons to do otherwise, don’t include your number on social media or as part of your email signature.
You also can get a free phone number to give to businesses or acquaintances that you don’t want to have access to your real number, and it will ring on your phone. This “burner” number is something that can protect your privacy and is easily disposable if you want a different one later.
• Report suspicious activity. If you notice something unusual, contact your mobile provider, bank and credit card company right away, and make certain your account credentials haven’t been changed. You may want to file an identity theft report with the Federal Trade Commission.
In its letter to Thomas acknowledging that her phone had been compromised, T-Mobile offered other sound advice: Consider placing a fraud alert with any of the three major credit bureaus — Equifax, Experian or TransUnion — which signals creditors to get in touch with you before opening a new account in your name.