Mobile Phone Insecurity

May 2022

One individual, thinking his online accounts were secure, lost $24 million.  His mistake was using his mobile phone number as part of security for online accounts.

It began when his mobile phone lost its signal.  Someone had taken over his phone number.  Hackers soon took control of his Gmail accounts by using the Forgot Password feature.  They were quickly able to steal millions from supposedly-secure digital wallets.

Phone numbers have been replacing passwords for accessing online accounts and have been promoted as more secure.  While there are benefits to this approach, security may not have improved.  The flaw in this is SIM swapping which allows criminals to steal a victim’s phone number.  Once stolen it becomes relatively easy to take control of personal accounts for social media, banking and more.  Within minutes of obtaining control of a victim’s accounts, criminals can sift through old e-mail messages to obtain information on online bank accounts.

A phone number can be stolen by a criminal pretending to be you.  They may use a fake id, pay a phone center employee or trick them to put your phone number on a new phone.  Once your phone number is under their control, Google’s “forgot my password” feature, used by many online services, allows them to take over online accounts and lock you out.  Another Google feature, Authenticator, can then be used to prevent you from re-obtaining access to your accounts.

The most effective solution is to make it harder for SIM swappers to take control of your mobile phone number.  “This requires that you avoid providing your mobile phone number as part of two-factor authentication of online services,” advises Rogers Communications which provides mobile phone, internet and entertainment services.  Unfortunately, this makes it harder for you if you lose your phone and forget your password.