More and more of our everyday internet accounts are connected to our mobile phone. Two factor authentication was designed to provide a user with an extra level of security. Trying to log in on a computer? The service, such as Google, will send you a code at your registered mobile device via SMS. Having two devices to verify your login-attempt theoretically provides more security, but what happens when someone else has your phone, or phone number?
This is exactly the kind of hack that has been happening in recent times. A hacker takes your phone number without ever touching your phone by simply calling your service provider. Impersonating you, with details of your date of birth, social security number or anything else that they may find about you online, the hacker pretends they’re you just trying to get a new SIM card registered for a “lost or stolen phone.”
It’s a social engineering exploit that is as easy as it sounds. Once a hacker has access to your SIM card, they can pretty easily gain access to your social media accounts, Google account -- anything that is registered with two factor verification. Couple this with data breaches of passwords by various companies, and it’s not as difficult as it may seem to access your accounts. There are dozens of instances of this happening -- just Google sim swapping and you’ll see.
First, have an idea of what information of yours may be leaked. haveibeenpwned.com is a free service where you can check if any email has possibly been breached will be reported to you.
Don’t freakout too much if you see a bunch of services pop up in your list. There have been a number of breaches in recent years. If you see anything of value on there and you haven’t changed your password in a while -- do it right away!
Make sure to secure your mobile service this best you possibly can. Some mobile phone services have the option for a user to have a PIN passcode. Add this to your account. That way if someone calls trying to swap your SIM, they’ll have to also input a PIN that -- theoretically -- shouldn’t be published anywhere else on the web.
Besides two factor authentication, there are devices -- such as YubiKeys -- that provide a physical layer of security to many common accounts (Google, etc.). A YubiKey is a small USB device that -- when prompted -- you insert into the device with which you are trying to login to your account. You then place your finger over a detector, that confirms in fact that a real person is attempting to login AND that this particular YubiKey is registered with this account -- that way, it’s not so easy for someone to login without your key!