If you have an online account, you are familiar with the username/password method of user authentication. If you have been paying attention to recent news stories, however, you also recognize that this method of authentication has some security drawbacks. A quick visit to the website www.haveibeenpwned.com can help identify if your email address has been involved in a security breach, such as the breach that occurred at LinkedIn in 2012. In that breach, user email address and site passwords (stored as SHA1 hashes without salt) were stolen, and many were cracked to reveal the true text of the user’s password. This meant that users who re-use passwords across platforms were susceptible to having other accounts accessed by the password thieves (or those to whom the thieves sold that information).
As both a remedial and preventative measure, users can employ the use of a password manager or, preferably, can enable a form of multi-factor authentication ("MFA," sometimes referred to as "2-factor authentication" or "2-step verification") to prevent stolen credentials from being used to access other accounts. One form of MFA used commonly is to have the service provider send a message with a one-time code to a trusted device, such as a cellular telephone, during a log-on attempt. Users of Apple’s iCloud, Google’s Gmail, or Microsoft’s Xbox who have enabled MFA may already be familiar with this process. And it can be used on a variety of platforms, from social media to online banking. But what if someone stole not your cell phone, but your cell phone number and therefore received your calls, text messages, and MFA verification codes? In an emerging fraud trend, criminals are doing just that. Fortunately, there is a way to protect yourself.
This week, T-Mobile began notifying its users of a "port-out scam" affecting all of the cellular telephone industry. In a port-out scam, fraudsters impersonate legitimate users to transfer service for a cellular telephone number to a device in the fraudster’s possession. That person would then begin to receive messages meant for the victim, which could include MFA codes, banking information, personal communications, or other sensitive and confidential messages or media.
Targeting a specific individual to facilitate fraud is not new. Spear-phishing emails have existed for years, through which fraudsters target specific people in a company to attempt to defraud the company. W-2 scams try to convince company workers to send all employees’ W-2 information to fraudsters. CEO scams target a company’s finance department to attempt to facilitate wire transfers. General phishing messages may try to obtain various employees’ log-on credentials. It is not a far jump to identify a person’s cellular telephone number and add that to the various schemes by which criminals can facilitate fraud, especially if your cellular telephone number is published or otherwise known widely. Indeed, receiving a telephone call or text message from a company contact—and being able to respond to that call or message at the correct cellular telephone number—would add a lot of credibility to a fraud scheme.
Fortunately, you can protect yourself (and your company) against port-out scams. Simply contact your carrier’s customer service department and inquire about adding a security code to your account. Once added, changes can be made to an account only if the person requesting the change knows the code. It is therefore important that the code be kept confidential and secure. If you are not sure whether you and your company are protected against port-out scams or other forms of digital or electronic fraud, contact the Dickinson Wright Data Privacy and Cybersecurity attorneys to review your security policies, protocols, and training programs today.
- April 5, 2019 Media Mentions Sara Jodka Quoted in Bloomberg Article on Health Data Privacy Laws
- January 2019 Industry Alerts With Everyone Being the Victim of a Data Breach, the Illinois Supreme Court’s Decision Not Requiring Actual Harm to Pursue a Claim for Improper Collection of Biometric Data May Give a Hint of the Future
- December 2018 Industry Alerts Cybersecurity Update: First SEC Enforcement Action Involving the Identity Theft Red Flags Rule Results in Settlement
- October 2018 Industry Alerts An Ounce of Prevention is Worth a Pound of Cure: Ohio’s Data Protection Act Becomes Effective November 1, 2018
- July 2018 Industry Alerts California’s Data Privacy Law: What It Is and How to Comply (A Step-By-Step Guide)
- June 12, 2018 Media Mentions Lawyer Sara Jodka Interviewed in the CIO Dive Article, “No Company Wants to Become the ‘Guinea Pig’ of GDPR”
- April 18, 2018 - April 19, 2018 Conferences Incident Response Forum 2018 on April 18, 2018
- April 18, 2018 In the News Attorney Justin L. Root Selected for Cybersecurity Docket's 2018 "Incident Response 30"
- April 11, 2018 Media Mentions Lawyer Sara Jodka Quoted in the Healthcare Risk Management Article, “Lawsuit Claims EHR Dangerous to Patients, Could Affect Hospitals”