X

T-Mobile data breach and SIM-swap scam: How to protect your identity

Even if you're not a T-Mobile customer, SIM-swap fraud is real. Here are some ways you can avoid it.

Jason Cipriani Contributing Writer, ZDNet
Jason Cipriani is based out of beautiful Colorado and has been covering mobile technology news and reviewing the latest gadgets for the last six years. His work can also be found on sister site CNET in the How To section, as well as across several more online publications.
Jason Cipriani
5 min read
sim-cards

SIM swapping is when a scammer transfers your phone number to another device to access your accounts. 

Jason Cipriani/CNET

Just when you think the massive T-Mobile hack can't get any worse, on Friday the carrier announced that over 50 million people, including current and former customers as well as prepaid customers, were affected by the breach. Information like Social Security numbers, driver's licenses and account PINs were exposed. Here are some steps you can take right now to protect your financial information.

Regardless whether you're a T-Mobile user, the exposure of account PINs is a major danger. That's the password that you're asked to give to a T-Mobile employee before any changes can be made to your account. A scammer who knows your account password can call customer care and ask to have the SIM card linked to your phone number changed to a new SIM card and device, effectively taking over your phone number. If you've moved on from T-Mobile to another carrier and used the same passcode, you should change it immediately. 

Sim swapping is not just an inconvenience. Once someone has taken over your phone number, they can use it to impersonate you or log into your online accounts. They can get instant access to any two-factor authentication codes you receive through text messages, the PIN that an institution texts you to verify your identity. 

So if they also have your password or other personal information, they're just a few clicks away from logging into your email, bank or social media accounts. And if someone gains access to your email account, they can change other passwords and search through your email archive to build a list of your entire online presence. Take the time to move away from SMS 2FA codes and use app-based codes instead. Seriously. 

Watch this: T-Mobile data breach: What you need to know

For example, Matthew Miller, a contributor to CNET sister site ZDNet, fell victim to a SIM-swap scam and he experienced the fallout for months afterward. Whoever took over Miller's phone number gained access to his Gmail account, and promptly changed his password, then erased every email, deleted every file in his Google Drive account, and eventually deleted his Gmail account altogether. 

Miller later discovered he was targeted because he had a Coinbase account and his bank account was linked to it. Miller's phone received his Coinbase account's two-factor authentication code, so the hackers were able to log into his cryptocurrency trading account and buy $25,000 worth of Bitcoin. Miller had to call his bank and report the transaction as fraud. That's on top of the immense vulnerability he felt.

To be clear, this isn't an issue that's specific to T-Mobile. All wireless carriers and customers can fall victim to SIM-swap fraud. Below are some tips to secure your wireless account. 

at-t-extra-security

It takes just a few minutes to add a critical layer of security to your account. 

Screenshot by Jason Cipriani/CNET

How to prevent SIM swapping on your account

You can decrease your chances of someone gaining access to and taking over your phone number by adding a PIN code or password to your wireless account. T-Mobile, Verizon and AT&T all offer the ability to add a PIN code. 

If you're unsure if you have a PIN code or need to set one up, here's what you need to do for each of the major US carriers. 

  • T-Mobile: Set up T-Mobile's Account Takeover Protection service. You need to add the feature to each individual line on your account. I also suggest changing your account PIN (if you're not asked to while setting up Account Takeover Protection). 
  • AT&T: Go to your account profile, sign in, then click Sign-in info. Select your wireless account if you have multiple AT&T accounts, then go to Manage extra security under the Wireless passcode section. Make your changes, then enter your password when prompted to save.
  • Verizon Wireless: Call *611 and ask for a Port Freeze on your account, and visit this webpage to learn more about enabling Enhanced Authentication on your account.
galaxy-s10-lite

If your phone loses service, contact customer care right away. 

Juan Garzon/CNET

If you have service through a different carrier, call their customer service number to ask how you can protect your account. Most likely, you'll be asked to create a PIN or passcode.

When creating a PIN or passcode, keep in mind that if someone has enough information to fake that they're actually you, using a birthday, anniversary or address as the PIN code isn't going to cut it. Instead, create a unique passcode for your carrier and then store it in your password manager. You are using a password manager, right? 

How to know if your SIM has been swapped

The easiest way to tell if your SIM card is no longer active is if you completely lose service on your phone. You may receive a text message stating the SIM card for your number has been changed, and to call customer service if you didn't make the change. But with your SIM card no longer active, you won't be able to place a call from your phone -- not even to customer service (more on this below). 

In short, the quickest way to tell if you've been affected is if your phone completely loses service and you can't send or receive text messages or phone calls.

What to do if you're a victim of SIM-swap fraud

The truth is, if someone wants access to your phone number badly enough, they will do all they can to trick your carrier's support representative. What we've outlined above are best practices, but they're not foolproof. 

Researchers were able to pose as account holders who had forgotten their PIN or passcodes, oftentimes providing recent outgoing calls from the target phone number, called by the actual account holder. How do they know those numbers? They tricked the account holder into calling. Even scarier, sometimes the researchers were able to provide phone numbers for incoming calls to the account they want to take over. Meaning the bad guy simply needed to call the target's phone number themselves. 

Once you realize you've lost service on your mobile device, call your carrier immediately and let them know you didn't make the changes. The carrier will help you recover access to your phone number. I can't emphasize this enough -- do not wait to call. The longer someone has access to your phone number, the more damage they can do. 

Here are the customer service numbers for each major carrier. Put your carrier's number in your phone as a contact:

  • AT&T: 1-800-331-0500
  • T-Mobile: 1-800-937-8997
  • Verizon: 1-800-922-0204
data-privacy-security-hackers-hacking-unlock-iphone-0991

Once someone gains access to your phone number, they'll have access to most of your online accounts. 

James Martin/CNET

With your SIM card deactivated, you won't be able to call from your phone, but at least you'll have the number handy to use on someone else's device. 

You'll also want to reach out to your banks and credit card companies, and double-check all of your online accounts to make sure that the perpetrator hasn't changed your passwords or made any fraudulent transactions. If you find transactions that aren't yours, call your bank or visit a branch right away and explain the situation. 

Remember, no matter how many PIN codes or passwords we add to our online accounts, there's still a chance that someone will find a way to break in. But at least by setting a passcode for your account, and knowing what to do if you find yourself a victim of SIM swapping, you're prepared. 

Another critical aspect of strong online security is to use a password manager to create and store unique passwords on your behalf. Additionally, enable two-factor authentication on every account that offers it. And make sure you're not falling for robocalls or scammy text messages