Story of how my mobile phone number was hacked and how to prevent it from happening to you.
How it started
On April 13th, 2020, at 9:30 pm, I was getting ready for bed. I get a text message from supposedly TELUS indicating my number switched over. At 1st glance, I thought this was a scam. But about 10 mins later, it hit me. What if this is happening? Nah, it couldn’t be, could it? Did someone hack me?
A message from a stranger
Then at about 9:47 pm. I receive a text message from an unknown number in the Montreal area code asking, “whos this.” At this point, I am a little confused, thinking, is this another scam? Do I reply? But no doubt is starting to fill my head, and I think back to the initial text message from TELUS. I am still getting text messages; it must be a scam, right?
Wow, this is happening.
At approximately 9:58, I can no longer make or receive calls or send and receive text messages from my phone. It’s all evident at this point. The text message from TELUS was not a scam; someone just hacked me. I proceed to call the number in the text, but now the call center is closed. I am in for a long night; I can feel it.
Your Microsoft account password was changed.
At 10:05 pm, the hacker knew most providers are closed due to COVID19; they start, they time this perfectly. They 1st reset my email password using my phone number. They now have my phone number and email; they have all they need.
Next stop PayPal and Amazon
Next, they reset PayPal, Amazon, then most likely downloaded my emails. It’s a horrible feeling. PayPal sent me an email asking me to call them right away, but when you no longer have your phone, what do you do?
Prevent your phone number from getting hacked
Do this today:
Call your phone provider and ask for Port Protection. Possibly it’s called something different for each provider. Port Protection will allow you to request your service provider to contact you and talk to you live on the phone before porting your number over, rather than a text message 25 minutes beforehand, without any further authorization.
All they needed
They port my number in a matter of minutes to their provider. All they needed was my account number and phone number. That’s it.
Why do you need to ask for port protection?
You need to ask for port protection because the CRTC ( Canadian Radio-television and Telecommunications Commission) wants to make it as easy as possible for people to switch providers. This all sounds great, until it isn’t, like in my case.
https://crtc.gc.ca/eng/phone/mobile/num.htm
Documentary on phone number hacking
If you want to hear more about this type of hacking, check out this documentary on “Sim Kids.” Warning – it may evoke some strong emotions, watching the documentary.
https://www.sho.com/vice/season/1/episode/1/keepers-of-the-caliphate-and-sim-kids
Final thoughts
A lot happened that night and that week. I will share more in the following posts, but I wanted people to know what to do today to prevent the initial breach that happened to me.
MFA is a great way to increase security; however, if someone steals your phone number and uses the text method to receive the notifications, you are out of luck. Even if you are using an App for MFA, regaining access to your account, often you are texted a code. I think you can see where I am going with this; it all comes back to your phone number. There are other ways to use two-step verifications with third-party hardware keys like yubikey, but let’s face it, most people will not want to carry a hardware key around. It goes back to security versus usability and ease.
I lost my phone number in a matter of minutes that night, don’t let this happen to you; it’s preventable. I hope I can reach as many people as possible with my story and that more people add Port Protection to their phone numbers to prevent this.
