How to Stop Your Mobile Number from Being Hijacked

Port-out scams aren't just for T-Mobile customers any more.

An AT&T store in Perrysburg, Ohio. Credit: Susan Montgomery

(Image credit: An AT&T store in Perrysburg, Ohio. Credit: Susan Montgomery)

AT&T on Tuesday (Feb. 27) issued its own memo warning customers about the scam, in which a crook impersonates a carrier customer and has a mobile number "ported out" to a new carrier or SIM card in an attack method that has come to be known as SIM swapping. With all calls and texts redirected to a new device, the crook can intercept two-factor authentication codes and hijack a customer's Apple, Google or online-banking accounts.

"You may not know this has happened until you notice your mobile device has lost service," wrote Brian Rexroad, AT&T vice president of security platforms, in an official AT&T blog posting. "Then, you may notice loss of access to important accounts as the attacker changes passwords, steals your money, and gains access to other pieces of your personal information."

MORE: Best Phone Carriers

In early February, T-Mobile alerted its customers to the scam following "an uptick in this illegal activity." Most recent anecdotal reports have seemed to involve T-Mobile rather than AT&T, Verizon or Sprint, although the scam can theoretically be carried out on any carrier.

In 2016, a top Federal Trade Commission official fell victim to a port-out scam when a crook walked into a phone store with a fake ID, pretended to be her, and charged two new iPhones to her account.

In all cases, the prevention for port-out scams involves using or creating a password or PIN on a wireless-carrier account so that crooks can't make changes without it.

How to Prevent Port-Out Scams (In Theory)

With AT&T, a passcode already has to be used when calling customer care, changing the passcode or making account changes in an AT&T retail store. To prevent port-out scams, the company advises adding an "Extra Security" option so that the passcode will be necessary to access the account online or to make changes in any retail store, even one not run by AT&T.

You must first go to the My AT&T webpage and log in using your phone number and passcode. (If you don't have a passcode, there's a link on that page to create one.) Under the "Wireless passcode" section, select "Manage extra security" and then check "Extra security."

Unfortunately, prepaid customers at AT&T can't get all these protections. They can't add "Extra Security," although they already need their PINs to make online account changes. But third-party retailers might not have to demand a PIN when a crook walks into a store and asks for a replacement SIM card on an AT&T prepaid account.

AT&T contract customers also can create passcodes of up to 24 alphanumeric characters, but AT&T prepaid customers can make only a four-digit PIN. The default PIN is the last four digits of the account holder's Social Security number, and even if that's changed, it takes only 10,000 guesses to crack.

Prepaid customers have fewer options with AT&T. Screenshot: Tom's Guide

Prepaid customers have fewer options with AT&T. Screenshot: Tom's Guide

Sprint makes you set up a PIN upon account activation, which it requires for port-out requests, according to a Sprint representative who spoke to independent security reporter Brian Krebs. Verizon told Krebs that account changes with it also require a PIN, which customers can create online or at Verizon retail stores.

T-Mobile recommends that its customers dial 611 from their T-Mobile phones, or 1-800-937-8997 from any other phone, to set up an account-protection PIN of six to 15 digits. Once that's done, you'll need to provide the PIN if you call customer service or go into a T-Mobile retail store.

The implication here, of course, is that until recently, you may not have needed a PIN at all to have a number ported when you called T-Mobile customer service or walked into a T-Mobile store. That may explain why port-out scams seem to affect T-Mobile more than any other carrier.

A commenter to Krebs' posting said that when he called T-Mobile to set up the account-protection PIN, the customer-care representative didn't know what he was talking about. A Reddit thread lists anecdotes of T-Mobile customer-care reps ignoring the account-protection PIN requirement, or letting callers override it by providing a Social Security number.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
A fake text message on a smartphone being held by both hands.
Toll road scams are worse than ever — what to look for and how to stay safe
iPhone 15 Pro Max shown in hand
iMessage under attack from scammers sending phishing messages — don’t fall for it
A hacker typing on a computer
FBI issues serious warning to iPhone and Android users — stop doing this ASAP
A person sat at a computer and a tablet, coding
What is social engineering and how to avoid becoming a victim
A picture showing different credit cards stacked on top of each other on a table
5 million Americans just had their credit card details leaked online — what to do now
An email icon open on a laptop screen
New Google Calendar notification attack could be hiding in your inbox — here's how to protect yourself
Latest in Network Carriers
Super Bowl LIX signage in New Orleans
Super Bowl 2025 — here's what the big carriers are doing to amp up their networks for the Big Game
Phones floating in the clouds showing the Helium mobile app
Helium Mobile unveils a free monthly wireless plan — here's what you need to know
Visible phone service on a smartphone with a deal tag
The best unlimited data plan just dropped 33% — but you've got to act now
Mint Mobile unlimited data deal with badge
Hurry! You've got until January 24 to cut your unlimited data bill in half at Mint Mobile
a Mint Mobile sim card envelope with a deal badge
Not a typo — Mint Mobile cuts the price of unlimited data in half for a full year
A smartphone with Visible being set up on it and a deal badge
Cellular bills are out of control — and this unlimited deal for $30 a month puts the big carriers to shame
Latest in News
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
The Find my People feature
Android Find My can now track your friends and family — here's how to use it
Foldable iPhone concept image
Are you sitting down? Here’s what the foldable iPhone could cost
Samsung HW-Q990D soundbar
Samsung’s flagship 2024 soundbar just got bricked by a new firmware update — don’t update
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
Owen Cooper as Jamie Miller in Adolescence
'Adolescence' is a gripping new Netflix show that's already hit No. 1 — and it’s 100% on Rotten Tomatoes