Sorry to be the bearer of bad tidings, but there's one more security threat to worry about: your phone number. If a hacker gets hold of it, you could be facing some serious personal privacy issues.
We can recommend ways to help you identify scams that lure you to give up your details, and have tips to help keep your phone number safe.
Let's start with a real-world example. Last year some T-Mobile customers -- including a CNET staffer -- received a strange text message:
Alarming, no? Was the text from T-Mobile proper, or was it a form of phishing -- an attempt to get you to visit a malicious website?
Turns out it was the former, though you should always think twice before tapping or clicking any link that seems overly alarmist -- and you should never enter personal information unless you've gone directly to a company's website or app.
In this case, however, T-Mobile was warning customers about a very real issue: "port-out scams," an attempt by hackers to capture your phone number, transfer it to another carrier, and then use it to access your bank account.
For example, if a thief is able to port your number without your knowledge, they can then use that number to bypass two-factor authentication at your bank or another financial service -- because the SMS confirmation will now come to his phone, which has your number.
Safety in numbers
Although these scams aren't necessarily limited to T-Mobile (they're "affecting the entire wireless industry," according to a T-Mo FAQ page on the subject), the carrier's exposed the personal data of millions of customers -- hence the recent uptick in fraudulent activity.
How can you protect yourself? If you're a T-Mobile customer, you're strongly urged to enable port validation, which requires the creation of a 6- to 15-digit passcode. After that, T-Mo won't honor any port-out request unless that passcode is provided. To enable the feature, you can dial 611 from your phone or call 800-937-8997.
It's worth noting that the new passcode doesn't replace your existing T-Mobile PIN or password; it's a second layer of security. The company also recommends "checking with your bank to see if there is an alternative to using text-for-PIN authentication, such as email."
CNET also recommends. A better option is an authenticator app.
While you're at it, use a password manager to generate strong passwords and keep track of the various PINs and passwords used for your bank, phone carrier and other critical services.
One more tip: Give friends, family members and banks your regular number, but for everything else, use a "disposable" second number, which you can get from the likes of Google Voice and Textfree. Although that second number could still be stolen by hackers, it won't be tied to anything mission-critical.
Got any other recommendations for avoiding port-out scams? Share them in the comments!
Originally published on Feb. 17, 2018.
Update, April 29, 2019: Miscellaneous minor updates.