Warning: Protect your mobile phone numbers from being hijacked

Ever since they appeared a decade ago smart phones have been a thorn in the side of CISOs, offering attackers a way into corporate networks through devices often not controlled by the enterprise.

Malware, either installed through malicious email or a recklessly downloaded app, are the usual vectors. But a report this week in the New York Times warns that lazy support staff at wireless providers — aided by equally lazy handset owners — are another vulnerability.

According to the story, an increasing number of people are reporting their cellphone numbers have been hijacked by criminals who get the providers to transfer the numbers to their own devices. Then, if the devices aren’t locked with a password, criminals can change application logins used by the victims to access enterprise and personal applications.

In the U.S., says the Times, figures from the Federal Trade Commission indicate  number of phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658. Equivalent data in this country is hard to find. The office of the Commissioner for Complaints for Telecommunications Services said for the fiscal year that ended July 31, it had received 23 complaints alleging fraudulent disruption or suspension of service.

In response to a query, neither Bell Canada nor Telus could offer any statistics on how often wireless phone hijacking takes place.

Bell said in a statement that it is  “continually updating our security measures to counter threats of cybercrime, including those related to SIM swapping and identity theft schemes. As always, we encourage our customers to remain vigilant about password protecting their devices and to be careful about sharing of personal information.”

In a statement Telus said protecting customer privacy is a priority at the carrier. “We’ve implemented security protocols, including enhanced verification processes such as PINs and secondary security questions, designed to ensure that we’re only speaking to authorized users about an account.  We also have our Telus Wise initiative, a free educational program available to all Canadians that focuses on Internet and smartphone safety and security to help keep consumers safe from online criminal activity such as financial fraud.”

Rogers Communications didn’t reply to a query on the issue.

The Times report serves as a warning to Canadian businesses that sharp threat actors may try to take advantage of weak security practices of uses and providers to take control of mobile devices.

For best protection users have to ensure a caller to a carrier support centre can’t impersonate them. That means if possible insisting on non-standard questions that have to be answered (especially avoiding mother’s maiden name, for example), and ensuring that a PIN number is set up that a phoney caller won’t know. It also means not posting personal information on social media sites like Twitter or LinkedIn that can be used by an impostor, such as your birthday, wedding day, public schools you went to, the names of your children, your cellphone number and details of trips away from home. And most important, despite the inconvenience make sure you have a PIN number or biometric activated on your mobile devices.

At the same time carriers have to crack down on support staff to ensure they don’t sympathize to unknown people on the line who seem oh-so-close to guessing the right answer to a challenge question.

The Times article  said criminals seem to be targeting people with valuable online accounts such as virtual currency traders. They are apparently found because they are loose-lipped on social media. “Everybody I know in the cryptocurrency space has gotten their phone number stolen,” one Bitcoin entrepreneur is quoted as saying.

In a number of cases involving digital money enthusiasts, the article says, the attackers accessed and then held sensitive email and phones for ransom.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now