If you received a text message from T-Mobile this week about a phone-number-stealing scam, you’re not alone. The alert is legit: T-Mobile is texting its post-paid customer base because the company has seen a rise in "port out" scams.
"Port out fraud has been an industry problem for a long time, but recently we've seen an uptick in this illegal activity," a T-Mobile spokesperson said in a statement. "We want to make sure our customers aware of this risk and encourage them to add extra security features to their accounts. We're messaging our entire post-paid customer base, but that takes time and can't be done all at once so some customers may not have received the SMS just yet."
T-Mobile is recommending (opens in new tab) that its customers add a 6- to 15-digit port validation passcode to their accounts. You can do this by calling 611 from your T-Mobile number or calling 1-800-937-8997 from any phone number.
A port out scam is when a criminal impersonates you to port your phone number to another wireless carrier. A version of the port out scam, called the SIM swap scam, is when a hacker uses your information at your current carrier to change the SIM card and take control of your phone number.
With control of your phone number, a thief can gain access to any account that sends a text message to your phone to confirm your identity if you've forgotten your password. If the thief already has your regular password, he or she can intercept temporary codes texted to your phone as part of two-factor authentication, or log into online services (such as Google and Facebook) that let you use a mobile number instead of a username.
Once the thief has control of your email account and phone, it's often a small step to seize control of your bank account or other financial services.
The problem is that identity thieves can steal your phone number by just walking into a retail store, either a carrier outpost or a third-party seller, and pretending to be you with a minimum of information. Sometimes they can just call a carrier's customer-service line. (The information required to verify identity varies by carrier and retailer.)
The Federal Trade Commission’s chief technologist experienced a similar scan herself in 2016 when her account was compromised someone who impersonated her and had two brand-new iPhones charged to her number, cutting off service to her existing Android phones. (In that case, the end goal was to get two free iPhones, not to gain access to her online accounts.)
If someone tries to port your phone number to another carrier, that carrier will have to confirm the request with T-Mobile using your passcode. This port validation PIN number is separate from your T-Mobile login password, which you use to log in to your T-Mobile account online. It's unclear if the port validation PIN will protect against same-carrier SIM swaps.
T-Mobile claims the scam is industry-wide, but GlobalData senior analyst Tammy Parker says the identity-theft stories that have grabbed headlines in recent months are all tied to T-Mobile. Hackers ported a Denver man’s phone number from T-Mobile to MetroPCS and then drained his bank account. In Washington state, a rash of T-Mobile customers saw their numbers stolen and bank accounts compromised.
"The one thing all of these cases have in common appears to be T-Mobile," Parker said. "That said, there doesn’t appear to be anything that would keep customers of other carriers from also being targeted.
"However, perhaps other carriers have been more insistent on their customers adding an extra layer of security, such as a PIN, to keep their services from being ported without their permission. Some victims have suggested there may have been a data breach at T-Mobile that has enabled this scam, but that does not appear to be the case."
Other wireless carriers offer similar passcode protections that require you to provide a PIN before you can make changes to your account. Extra security is opt-in, so if you haven’t enabled it yet, now’s the time.
If you use your cell phone number as the second factor for authenticating your other accounts, you may want to consider using a physical USB verification key or the Google Authenticator app instead. That way, if your cell phone number is compromised, the rest of your life will remain secure.