News broke recently on a huge phone port-out scam. If you don’t know what the scam is or if you’ve not yet taken action to protect your account, this post will get you up-to speed.
Potentially, anyone who has a cell phone with any of the phone carriers. Yes, this mostly likely includes you too. This is not a carrier specific issue. This is an industry-wide scam.
What is the port-out scam?
When you switch a phone line from one carrier to another, the transfer process is called “phone porting”.
Porting out a line is not difficult. If you’ve ever switched carriers, you know that you (or your new carrier) simply has to call or provide your account PIN to initiate the transfer. For carriers like T-Mobile, the PIN had been the last 4 digits of your SSN.
How the scam works:
- Fraudsters are impersonating you to “port-out” your phone number with your carrier. This lets them take control of your phone number.
- Remember how you set up password recovery to your email or banking accounts? Those are usually secured with a text code to your phone number as a recovery method.
- Now that the fraudsters are in control of your phone number, they can recover access to your banking accounts to try to steal your money.
Why is this a big deal now?
Remember the huge Experian data breach in which the data of millions of people are compromised, including names, social security numbers and phone numbers? They already have a lot of your basic information.
Now, remember how your phone carrier is securing your account? In T-Mobile’s case, it was the last 4-digit of the SSN (which was also a piece of data exposed in the data breach). The fraudsters have enough information to impersonate you and port-out your phone number so that they can get access to your accounts.
Can it happen to you?
Yes, it can!
If you are part of the Experian data breach (almost everyone) and your phone carrier relies on your SSN as your PIN, then you are at risk for this scam.
It’s understandable if you’ve not heard of this scam, since reports are only now surfacing. Unlike traditional scams, people aren’t directly tricked by giving out their information. The victims simply experienced the effects of the scam, when money is transferred out of their banking accounts.
The threat is real. You can read the accounts of those who have been victimized by this scam.
What Should You Do To Protect Your Account?
Contact your carrier. My phone carrier, T-Mobile, sent a text to notify customers to set up a port validation feature. This ensures that fraudsters could not port out your phone number without providing a passcode. Your phone carrier probably set up something similar.
I called up T-Mobile and set up a passcode in under 2 minutes. For T-Mobile, this passcode replaces the account PIN you provide when you call in to validate your account.
I would have preferred it if customers could enable the feature by logging in their account. Google Voice has a phone number locking feature to prevent such unauthorized port-out a long time ago.
What Else Have I Done To Protect My Accounts?
In addition to calling my phone carrier to enable the port validation feature, I took an added step of reviewing the account recovery process for sensitive accounts. I wanted to make sure that I have two-factor authentication enabled and that the recovery process isn’t just based on text/phone method alone.
Fortunately, I feel a bit more secure to know that most banking sites have more stringent account recovery requirements. This includes requiring that you provide your banking account number in addition to authentication verification.
I’ve already been caught up in several data breaches through no fault of my own. I feel like some of my data is just sitting duck out there somewhere. In spite of it, I still think it’s important to try to protect your accounts however you can.
If you haven’t called your carrier to protect your account yet, do so. A couple of minutes now could potentially save you hours and hours of headaches later.
Are you a victim of the port-out phone scam? Do you know anyone who are? Did you have any problems setting up your port-in validation passcode?