Last week, some T-Mobile customers — including a CNET staffer — received a strange text message:
That’s a strange message to get from your carrier — but it’s also an important wake-up call. Er, text…
Screenshot by Natalie Weinstein/CNETAlarming, no? Was the text from T-Mobile proper, or was it a form of phishing — an attempt to get you to visit a malicious web site?
Turns out it was the former, though you should always think twice before tapping or clicking any link that seems overly alarmist — and you should never enter personal information unless you’ve gone directly to a company’s web site or app.
In this case, however, T-Mobile was warning customers about a very real issue: “port-out scams,” an attempt by hackers to capture your phone number, transfer it to another carrier, and then use it to access your bank account.
For example, if a thief is able to port your number without your knowledge, he can then use that number to bypass two-factor authentication at your bank or another financial service — because the SMS confirmation will now come to his phone, which has your number.
Safety in numbers
Although these scams aren’t necessarily limited to T-Mobile (they’re “affecting the entire wireless industry,” according to a T-Mo FAQ page on the subject), the carrier’s security breach last year exposed the personal data of millions of customers — hence the recent uptick in fraudulent activity.
How can you protect yourself? If you’re a T-Mobile customer, you’re strongly urged to add enable port validation, which requires the creation of a 6- to 15-digit passcode. After that, T-Mo won’t honor any port-out request unless that passcode is provided. To enable the feature, you can dial 611 from your phone or call 800-937-8997.
It’s worth noting that the new passcode doesn’t replace your existing T-Mobile PIN or password; it’s a second layer of security. The company also recommends “checking with your bank to see if there is an alternative to using text-for-PIN authentication, such as email.”
CNET also recommends avoiding SMS for two-step verification; a better option is an authenticator app.
While you’re at it, use a password manager to generate strong passwords and keep track of the various PINs and passwords used for your bank, phone carrier and other critical services.
Got any other tips for avoiding port-out scams? Share them in the comments!
