February 14, 2025 • 28 mins
What are the phone protections the FCC mandated in 2024?
What is a sim swap attack?
What is a port-out attack?
What is your second most important online account?
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
What are the phone protections the FCC mandated in 2024?
Okay, I'm going to be honest here. I don't even know who the FCC is, so...
The Federal Communications Commission. They make laws about radio, television, phone,
(00:27):
cable, that kind of stuff. All right. Hopefully they found a way to make our
calls a little more secure is what I'm going to hope.
Maybe. Sort of, I suppose. Wishful Thinking. Yeah. Yeah, I think so.
Awesome. Okay, so what is a SIM swap attack? This sounds bad, so I'm curious to know how
(00:58):
often these attacks happen, just so you know. Yeah, and I don't have... I didn't pull the
numbers on that. It's not... This one is more about some other things that we'll get into,
kind of an excuse to talk about it. It's because the numbers are not super high.
Okay. Okay, good. That makes me feel good. So I'm going to get some insight,
(01:24):
I guess, as it'll help us be aware of security in a new light, you know.
Okay. What is a port attack? Port out attack. Okay.
I hear this. I immediately heard of a scam years ago to where they were hacking your phones via
(01:49):
these ports that you'd use for charging, like at hotels or public places that you could charge your
phone. Oh, yeah. Is that what we're talking about here? Something like that?
Nope. This is very much related, very similar to the SIM swap attack, but the attack you're
talking about does exist. I'm not sure on the frequency, again, of it, but think of it like,
(02:11):
you know, when you plug in your phone to your computer. It's not just for charging,
it's for data transfer, right, between your phone and your computer. Right. So that's the
idea. Those, instead of just providing power, it would do data transfer, and so it would be
trying to extract data from your device. Oh, dang. That's the idea. Okay. Okay.
(02:38):
I'm excited for this next question because I've often asked myself this question.
What is your second most important online account?
Based off of our conversation, I'm going to assume it has something to do with our phone.
Right. You know, so, yeah. I'm excited to know what should be that second
(03:07):
area we should start focusing our security on, so I'm excited. Yeah. Well, and I think eventually
we'll do an episode where we walk through the whole breakdown of, you know, account priorities.
Excellent. I love it. I'm excited to hear. Okay. Well, welcome back, and thanks for tuning in.
(03:29):
I'm Nick, and this is Super Simple Security Principles. Listen each week and learn how to
think, not what to think. This is episode 50. Two new locks for your phone number.
All right. I'm excited. Two new locks for your phone number. Where do we start? Well, so last week,
(04:00):
we talked about some phone number safety as well with the breach and all the spying,
and so we're talking about phone number safety again, but in a very different variety.
So, I just want to remind us, too, part of the motivation of this is because email, we've talked
(04:23):
about often as a master key for our accounts. Our phone number is also something of a master key,
and specifically, it's often the only form of two-factor authentication that we're offered.
Yeah, text message. Yeah, exactly. Yep, text message to enter in the code, and, you know,
(04:48):
you asked about the frequency of the attacks, and they're still, they're pretty small in number
relatively. They have been slowly growing both in frequency and severity, and they're used as part of
bigger attacks, and yeah, well, we'll talk about that more, but the FCC anyway decided that they
(05:13):
wanted to add some new rules about it in 2024 to help protect against these attacks, and again,
most of these attacks are very targeted, and they're going to be against businesses or influential
individuals in businesses anyway, but anyway, I'm hopeful about these rules that they're going to
(05:36):
help protect against these attacks. I say hopeful partly because it depends on exactly how the rules
are implemented because, you know, we've got this document from the FCC, which is long, painfully
long. I've looked at it, didn't read through it all, but it's the government, so you can imagine,
(05:59):
right, and, but of course, how that translates into practice is a totally different story,
so it's pretty new. It was, a lot of it came online near the end of 2024,
but anyway, our focus is just going to be on a very small piece of that legislation,
what I think of as two new locks, and I do recommend personally for everyone to turn them on,
(06:26):
and each of the locks acts as a layer of protection against those two types of attacks,
the SIM swap and the port out attack. Nice, so we can, with two, we can eliminate these two attacks.
Yeah, or at least, yeah, that, yeah, exactly, add a layer of protection, hopefully eliminate them,
(06:49):
but yeah, that's the idea. Yeah, all right, all right, yeah, and that's probably not bulletproof,
but at least add some layers of security from it. Yeah, I mean, I don't know, I, I'm not trying to
be nitpicky on the word there, I just dodge, eliminate, I mean, I like, you know, we've,
we talk about layers a lot, right? Right, right, no, no, so that's all, yeah, but,
(07:14):
uh, so we're going to talk about what those attacks are, and how the new locks protect you,
but the really, really quick version, if we've talked about credit freezes, yeah,
they're a lot like that. Okay, we talked about that in episode 29, and so anyway,
(07:36):
concept is very similar. So the first attack, SimSwap, and this is the one that gets talked
about the most, um, so real quick though, what is a SIM? It stands for Subscriber Identity Module,
and I don't expect anybody to remember that, but the subscriber is the most important part.
(07:58):
It's a little chip that gets put into your phone, that tells your cell phone company,
AT&T, Verizon, T-Mobile, whatever, who you are. Yep. And these days, there are, there actually is
often no longer an actual physical SIM card, they've just made eSIMs, you know, a digital version
(08:18):
of it, but the concept is still the same. There's something associated with that phone, that when
you're making phone calls, you know, they know it's you making that phone call. Okay.
And so a SIM swap is actually a normal thing that happens when, say, you upgrade your phone,
(08:38):
you need to move the SIM from your old phone to your new phone. Yep.
So a SIM swap attack, all it is, is when the hacker does that on your behalf, and instead of,
you know, of course, they move it from your phone to one of their phones.
And that's, that's all it really is. Gotcha. But it behaves just like you upgraded. So that
(09:05):
means then they're getting all your messages and your phone calls. And the good news is,
in a way, at least, is unlike last, you know, the last episode, we talked about where it's a
spying situation, right? So they could see your text message and phone calls, and you didn't know
about it. Well, with a SIM swap, your phone stops getting the phone calls and text messages.
(09:29):
So, I mean, you may not notice immediately, right, if you're not, if you don't try to make a call or
send a message, and you're not expecting one, but it's not going to be long before you figure out
that your phone no longer works. Right. And so anyway, that's, that's what a SIM swap attack is.
Gotcha. Okay. It makes sense. Like, I used to, I still do, I get my phones from Apple directly,
(09:56):
right? And so I'm super familiar with throwing in that SIM card or, you know, I haven't had the
digital one yet. I'll have to... Oh, really? You've got to still do the physical chip? Yeah. Yeah. Okay.
That said, I don't upgrade my phone all that often. Right. Likewise. Yeah. So the second
(10:22):
attack, the port-out attack, is basically the same, except that instead of transferring the
service to a new device within the same carrier, you're moving, you might be using the same device,
but moving it to a new carrier. Right. So if you're switching from AT&T to Verizon, for example,
whatever. Yeah. Yeah. So again, something we might do ourselves, obviously way more rarely
(10:48):
than, you know, upgrading your phone, but anyway, that's the idea. So, but in either case,
the objective for the hacker is to get control of your phone number so that they can then hack
into your other accounts because they can receive the two-factor authentication codes, for example,
and that sort of thing. Okay. The next thing that we need to talk about is how these attacks
(11:16):
actually happen. And it's really kind of crazy, in my opinion, that it's even possible
because... So if you're listening and you're like, what? That doesn't make any sense. Why would
anybody ever let this happen? Well, I'm with you, but it's been happening and you can read
(11:38):
events in the news. You can go search, you know, news for SimSwap. It's not, you know, it's not
nothing on the scope of data breaches or whatever, but it's happening. So, and all it boils down to
is a scammer. They call your phone company and basically they share enough personal information
that they've collected from you from these data breaches or whatever else and trick them into
(12:03):
believing that they're you and that you're switching your phone service to a new phone.
Okay. And that's, that's the whole of it, really. Really? Yeah. So that's, that's what they're
doing. Like they've gathered enough data to basically call in the phone company, fake to be
(12:26):
you, say, Hey, we're going to change carriers. Or just upgrade the phone. Or just upgrade phone.
Yeah. Yep. Yeah. Upgrading the phone is a lot more common just because it's an easier sell.
You know, they're not going to like, they're happy to have you upgrade the phone. If you're
trading carriers, they're like, Oh, they're going to probably try to convince you to stay
(12:50):
in all this nonsense. So it doesn't happen nearly as often from, at least from what I've
found online about it. But so if we're talking about protections though,
you know, the, the question, and we get this about things in general is like, so there's all this,
(13:11):
you know, information of mine that's supposed to be private, but now is publicly known because of
these data breaches. Right. So what, what can we do about that? We can't, you know, get rid of it.
There are some data scrubbing services you can kind of try to hide or remove some of it,
but a lot of it's just going to be out there and there's nothing you can do about it. Right.
(13:31):
Right. So the answer in my mind, for this case and many others is basically, it means you need
to add a layer of protection that doesn't depend on that now publicly known information. Right.
Right. And also that layer of protection shouldn't depend on the customer service person
(13:57):
not being tricked by the scammer. Right. Right. Right. That's a little, somebody that doesn't
know you at all is fielding a call to try and determine whether you are who you say you are or
not. If this is going to happen to me, I don't like those odds, you know? Yeah. Yeah. It's,
(14:18):
well, and, and I mean, the thing is that's the way, you know, there's so many systems where
you call up and you have to prove who you are. Right. Right. Because, I mean, it's just like
logging into a website, you know, you've got to prove who you are there and they have these phone
systems and you got to call and prove who you are there. And a lot of times that's just based on,
(14:38):
been based on information and it's just, it's turned out to be, especially these days,
that's just not the greatest way to authenticate people. Right. Right. And so some, sometimes now
you have pins or other things and we'll talk about that more another day, but anyway, it's a problem
and these locks at least help with that. They can potentially, if they're handled correctly,
(15:04):
add this layer of protection that we just described. Okay. And I say potentially because
basically this key question is, in my mind, is let's say we have the locks on for our account
and the scammer calls in and somehow convinces them that they, you know, yes, I turn my locks
(15:29):
on and I can't figure out how to turn it off. Can you turn it off for me or something? Yeah. Yeah.
Are they going to, will the phone carriers, you know, are they going to decide to let their
customer service folks turn those locks off if the scammer is convincing enough? I hope not.
And it's just, it's early days, so we'll see. But I'm hopeful because the idea behind the locks
(15:55):
is simple. If they're on, then we can't change devices. We have to turn it off just temporarily
when we upgrade and, you know, that's it. But that's, it can be this layer. It is potentially
very powerful because that's a pretty huge obstacle for the hacker compared to just impersonating you
(16:19):
on the phone. It's a whole different set of things they have to do. They've got to first
hack your online account in order to turn off those locks. And assuming, you know,
you're using a good password with that account. Anyway, that's part of the premise, right? You
want to make sure that account's as unhackable as possible. And actually one thing I found in
(16:43):
the course of my research that with AT&T, for example, the lock is actually done not, it's not
associated with your online account. It's associated on the device itself within the AT&T
app. And so. Sounds like a pretty good way to go. Yeah. It ups the ante even a little bit more,
(17:04):
right? Because then they'd have to like hack your device, hack into the app kind of thing
and unlock it there. And so I'm like, hmm, that sounds really good.
The only downside to that, and I would happily take it though, is say you have your lock on and
you know, you have AT&T, you locked it inside of the app, you lose your device or it breaks.
(17:30):
Then from what I read online, you have to go into the store, show your identification,
prove who you are in person in a store, right? But that seems like a pretty good trade-off to me.
Now that I was going to say, I'd do that. I mean, if you lost your phone, you broke your device,
(17:51):
you're more likely than not going into the store anyways. Why not just have it be customary to
prove you are who you say you are while there? Yeah. Well, a lot of us, I mean, like I haven't
gone into a store in a long time. I mean, you're a little more old school on that front. Like I
hate to break it to you, buddy, because I haven't ordered a phone.
(18:15):
I've ordered my phones online for a fair while now. I order mine online. I just have gone into
the stores. That's cool. I'm just giving you a hard time. And there are plenty of people who do,
I'm sure. I mean, those stores are active, but anyway. So the main thing though,
(18:41):
I think I want to emphasize here in terms of the strength of these locks
is it's going to depend on the specific carrier. How hard are they going to make it for the hacker
to turn off these locks? And so we're just going to have to wait and see a little bit. And I
suspect that will evolve over time. But I think it seems like we're on the same page on this one
(19:07):
is there's really not a whole lot of downside to turning them on. There's very minimal initial
effort ongoing. You're already upgrading, going through the process of upgrading your phone. Yes,
you'd have to turn it off in order to do that temporarily. Adds a tiny bit to a rare event.
All in all, it's a no brainer decision in my mind. Right, right. So then let's talk about
(19:35):
how you actually turn them on. And of course we talked about their settings in your account.
So that's basically what it boils down to. But it's interesting because it varies actually
more than I expected by carrier because the rules from the FCC don't specify the name.
So they all have their own kind of brand names, including number lock, account lock,
(20:00):
SIM protection, port out protection. And then the most unusual one is with AT&T. Again,
there are standout in a number of ways. They combine the locks. You can't actually turn them
off individually. They just combine them into one that I think they called a secure account
lock or something like that. Okay. And like we talked about with them, you do it in the app.
(20:26):
And in most of them, you can do it in the app, but it's basically the equivalent of logging in
to their website and turning it on there as well. Okay. I'll probably create a post on the forum
just to break down a little bit of details, at least for the bigger companies. Yeah. Yeah,
(20:47):
that'd be good. Yeah. The one aspect that, I mean, I looked for, but I don't have an
account with all the carriers. Of course, it's harder than some, but I only have one cell phone.
But I was curious to see if any carriers turn the lock on by default. Mine, Verizon, definitely
(21:11):
doesn't. They didn't even really advertise the existence of this new lock to me. I found out
about it because I try to keep abreast of all these things, but it wasn't just like as a regular
consumer Verizon told me or anything. Right. Right. Right. And based on my general experience,
(21:31):
what little I could find, my guess is that the locks are off by default for most, if not all,
people and carriers. So you might have to check out our links to figure out how to do that.
Yeah. Yep. So the final point that I want to make is, and this goes back to the last question,
(21:57):
our last opening question is about what's our second most important online account.
And it's obviously something we haven't talked a lot about, but I want to start emphasizing more.
And that's your phone account. Yeah. You don't even actually, when you get a phone,
(22:22):
initially, you can get a phone without even setting up the account.
So I recommend not only do you set it up, but you treat it in all the ways we've talked about
with email, having a good, unique password, unique username, 2FA if you can, although a lot
of times you can't because phone is so often the 2FA, like I couldn't find mine. Yeah. So, because
(22:49):
the thing is, even though both the attacks we've talked about today and other things,
like your phone and your phone number in general are harder to take over than your email account,
yeah, it's also a lot more valuable in some ways, right? Because companies assume it's,
(23:11):
you know, they know it's harder to do that. And so it's like, it's a stronger proof in some ways.
Yeah. And, you know, if somebody got access to your phone account, they may not be able to do
some of these things. But anyway, it's, yeah, I just, the more I've thought about, the more I
consider it to be the second most important, just because it can also unlock with, you know,
(23:39):
being the universal kind of 2FA, unlock your accounts a lot as well. So coupled with email.
Right. Does that make sense? Absolutely. Yeah, absolutely. Kind of stumbled my way through that.
No, I, yeah, makes sense. The lock seems like a no-brainer. I tried to get those two locks put on,
(24:07):
you know, because like you said, it's only when you're upgrading a phone or changing carriers
that you would need to worry about unlocking it. Yeah. To add that layer of security.
Yeah. Seems. So have we reached that point in time to our call to action? Yep. Let's hear it.
(24:31):
What do you got for us? Well, you can guess it. Just go and turn on these two locks,
visit the forum post linked in the show notes for if you run into any troubles finding it,
and ask me any questions that come up. I'll also add this, that, and we've talked about
(24:52):
this kind of throughout, but I just want to emphasize the point of this episode was not to,
like, make anybody afraid. Right. You know, the attacks aren't super common. The consequences
are significant if they do happen, but more, I want to be part of the reason the attacks
don't become more common. Right. I want to make sure that if you're listening to this,
(25:14):
you're not one of those victims. Right. You know, the effort to add it, as we've talked about,
is really minimal. The money cost is zero. So just do it. Seems like a no-brainer. Yep.
Yeah. Let's not have these attacks become commonplace. Let's take care of it now. Yeah.
(25:39):
Let's stamp them out completely. Make them, you know, a thing we hardly ever hear about again,
because they just don't happen anymore. I think this is a kind of case where we really could,
ultimately. You know, we can't all do it individually, but if the carriers do their
part, I don't know. I see no reason why it can't go away entirely, ultimately.
(26:02):
Nice. So we'll see. Awesome. Well, do I get to let the listeners know a little secret?
Yeah. Tell them about the next episode. We're starting a series on home network security.
Look, this is a big deal. We've all experienced added security at work. This is exactly what
(26:27):
I thought. Like, we've all experienced that, you know. We've got different passwords or maybe
different ways of logging into things, you know, that added layer. But now we're going to talk
about your home security, your home network security. It's time we address the simple hows,
(26:47):
whats, and why we need to address our home security network, I'm guessing.
That said, don't worry. I know our master guardian well, and we're going to keep it simple. But
episode one, we will introduce a metaphor we're going to use throughout the series. So we like
using metaphors because it's simple, a little bit easier to understand. So yes, I'm pumped.
(27:14):
Hey, be ready. Home network security. Here we come. Yeah, I think. Yeah, I'm looking forward
to it. Me too. Me too. Got to do this too. Ah, I was early. Okay. That's our super simple show
(27:37):
today. If you're not a member of the IHP Academy already, please come join us for free. Stop
searching the whole internet for answers and never knowing who to trust. Ask us instead.
We made it super simple to find us and it only takes two minutes to sign up. Just visit
(28:03):
helpmegetsafe.com. Enter your name and your email. You're in. You can also find the link
in our show notes. Thank you for joining us and make it a great day. Bye bye.
What are the phone protections the FCC mandated in 2024?
Okay, I'm going to be honest here. I don't even know who the FCC is, so...
The Federal Communications Commission. They make laws about radio, television, phone,
(00:27):
cable, that kind of stuff. All right. Hopefully they found a way to make our
calls a little more secure is what I'm going to hope.
Maybe. Sort of, I suppose. Wishful Thinking. Yeah. Yeah, I think so.
Awesome. Okay, so what is a SIM swap attack? This sounds bad, so I'm curious to know how
(00:58):
often these attacks happen, just so you know. Yeah, and I don't have... I didn't pull the
numbers on that. It's not... This one is more about some other things that we'll get into,
kind of an excuse to talk about it. It's because the numbers are not super high.
Okay. Okay, good. That makes me feel good. So I'm going to get some insight,
(01:24):
I guess, as it'll help us be aware of security in a new light, you know.
Okay. What is a port attack? Port out attack. Okay.
I hear this. I immediately heard of a scam years ago to where they were hacking your phones via
(01:49):
these ports that you'd use for charging, like at hotels or public places that you could charge your
phone. Oh, yeah. Is that what we're talking about here? Something like that?
Nope. This is very much related, very similar to the SIM swap attack, but the attack you're
talking about does exist. I'm not sure on the frequency, again, of it, but think of it like,
(02:11):
you know, when you plug in your phone to your computer. It's not just for charging,
it's for data transfer, right, between your phone and your computer. Right. So that's the
idea. Those, instead of just providing power, it would do data transfer, and so it would be
trying to extract data from your device. Oh, dang. That's the idea. Okay. Okay.
(02:38):
I'm excited for this next question because I've often asked myself this question.
What is your second most important online account?
Based off of our conversation, I'm going to assume it has something to do with our phone.
Right. You know, so, yeah. I'm excited to know what should be that second
(03:07):
area we should start focusing our security on, so I'm excited. Yeah. Well, and I think eventually
we'll do an episode where we walk through the whole breakdown of, you know, account priorities.
Excellent. I love it. I'm excited to hear. Okay. Well, welcome back, and thanks for tuning in.
(03:29):
I'm Nick, and this is Super Simple Security Principles. Listen each week and learn how to
think, not what to think. This is episode 50. Two new locks for your phone number.
All right. I'm excited. Two new locks for your phone number. Where do we start? Well, so last week,
(04:00):
we talked about some phone number safety as well with the breach and all the spying,
and so we're talking about phone number safety again, but in a very different variety.
So, I just want to remind us, too, part of the motivation of this is because email, we've talked
(04:23):
about often as a master key for our accounts. Our phone number is also something of a master key,
and specifically, it's often the only form of two-factor authentication that we're offered.
Yeah, text message. Yeah, exactly. Yep, text message to enter in the code, and, you know,
(04:48):
you asked about the frequency of the attacks, and they're still, they're pretty small in number
relatively. They have been slowly growing both in frequency and severity, and they're used as part of
bigger attacks, and yeah, well, we'll talk about that more, but the FCC anyway decided that they
(05:13):
wanted to add some new rules about it in 2024 to help protect against these attacks, and again,
most of these attacks are very targeted, and they're going to be against businesses or influential
individuals in businesses anyway, but anyway, I'm hopeful about these rules that they're going to
(05:36):
help protect against these attacks. I say hopeful partly because it depends on exactly how the rules
are implemented because, you know, we've got this document from the FCC, which is long, painfully
long. I've looked at it, didn't read through it all, but it's the government, so you can imagine,
(05:59):
right, and, but of course, how that translates into practice is a totally different story,
so it's pretty new. It was, a lot of it came online near the end of 2024,
but anyway, our focus is just going to be on a very small piece of that legislation,
what I think of as two new locks, and I do recommend personally for everyone to turn them on,
(06:26):
and each of the locks acts as a layer of protection against those two types of attacks,
the SIM swap and the port out attack. Nice, so we can, with two, we can eliminate these two attacks.
Yeah, or at least, yeah, that, yeah, exactly, add a layer of protection, hopefully eliminate them,
(06:49):
but yeah, that's the idea. Yeah, all right, all right, yeah, and that's probably not bulletproof,
but at least add some layers of security from it. Yeah, I mean, I don't know, I, I'm not trying to
be nitpicky on the word there, I just dodge, eliminate, I mean, I like, you know, we've,
we talk about layers a lot, right? Right, right, no, no, so that's all, yeah, but,
(07:14):
uh, so we're going to talk about what those attacks are, and how the new locks protect you,
but the really, really quick version, if we've talked about credit freezes, yeah,
they're a lot like that. Okay, we talked about that in episode 29, and so anyway,
(07:36):
concept is very similar. So the first attack, SimSwap, and this is the one that gets talked
about the most, um, so real quick though, what is a SIM? It stands for Subscriber Identity Module,
and I don't expect anybody to remember that, but the subscriber is the most important part.
(07:58):
It's a little chip that gets put into your phone, that tells your cell phone company,
AT&T, Verizon, T-Mobile, whatever, who you are. Yep. And these days, there are, there actually is
often no longer an actual physical SIM card, they've just made eSIMs, you know, a digital version
(08:18):
of it, but the concept is still the same. There's something associated with that phone, that when
you're making phone calls, you know, they know it's you making that phone call. Okay.
And so a SIM swap is actually a normal thing that happens when, say, you upgrade your phone,
(08:38):
you need to move the SIM from your old phone to your new phone. Yep.
So a SIM swap attack, all it is, is when the hacker does that on your behalf, and instead of,
you know, of course, they move it from your phone to one of their phones.
And that's, that's all it really is. Gotcha. But it behaves just like you upgraded. So that
(09:05):
means then they're getting all your messages and your phone calls. And the good news is,
in a way, at least, is unlike last, you know, the last episode, we talked about where it's a
spying situation, right? So they could see your text message and phone calls, and you didn't know
about it. Well, with a SIM swap, your phone stops getting the phone calls and text messages.
(09:29):
So, I mean, you may not notice immediately, right, if you're not, if you don't try to make a call or
send a message, and you're not expecting one, but it's not going to be long before you figure out
that your phone no longer works. Right. And so anyway, that's, that's what a SIM swap attack is.
Gotcha. Okay. It makes sense. Like, I used to, I still do, I get my phones from Apple directly,
(09:56):
right? And so I'm super familiar with throwing in that SIM card or, you know, I haven't had the
digital one yet. I'll have to... Oh, really? You've got to still do the physical chip? Yeah. Yeah. Okay.
That said, I don't upgrade my phone all that often. Right. Likewise. Yeah. So the second
(10:22):
attack, the port-out attack, is basically the same, except that instead of transferring the
service to a new device within the same carrier, you're moving, you might be using the same device,
but moving it to a new carrier. Right. So if you're switching from AT&T to Verizon, for example,
whatever. Yeah. Yeah. So again, something we might do ourselves, obviously way more rarely
(10:48):
than, you know, upgrading your phone, but anyway, that's the idea. So, but in either case,
the objective for the hacker is to get control of your phone number so that they can then hack
into your other accounts because they can receive the two-factor authentication codes, for example,
and that sort of thing. Okay. The next thing that we need to talk about is how these attacks
(11:16):
actually happen. And it's really kind of crazy, in my opinion, that it's even possible
because... So if you're listening and you're like, what? That doesn't make any sense. Why would
anybody ever let this happen? Well, I'm with you, but it's been happening and you can read
(11:38):
events in the news. You can go search, you know, news for SimSwap. It's not, you know, it's not
nothing on the scope of data breaches or whatever, but it's happening. So, and all it boils down to
is a scammer. They call your phone company and basically they share enough personal information
that they've collected from you from these data breaches or whatever else and trick them into
(12:03):
believing that they're you and that you're switching your phone service to a new phone.
Okay. And that's, that's the whole of it, really. Really? Yeah. So that's, that's what they're
doing. Like they've gathered enough data to basically call in the phone company, fake to be
(12:26):
you, say, Hey, we're going to change carriers. Or just upgrade the phone. Or just upgrade phone.
Yeah. Yep. Yeah. Upgrading the phone is a lot more common just because it's an easier sell.
You know, they're not going to like, they're happy to have you upgrade the phone. If you're
trading carriers, they're like, Oh, they're going to probably try to convince you to stay
(12:50):
in all this nonsense. So it doesn't happen nearly as often from, at least from what I've
found online about it. But so if we're talking about protections though,
you know, the, the question, and we get this about things in general is like, so there's all this,
(13:11):
you know, information of mine that's supposed to be private, but now is publicly known because of
these data breaches. Right. So what, what can we do about that? We can't, you know, get rid of it.
There are some data scrubbing services you can kind of try to hide or remove some of it,
but a lot of it's just going to be out there and there's nothing you can do about it. Right.
(13:31):
Right. So the answer in my mind, for this case and many others is basically, it means you need
to add a layer of protection that doesn't depend on that now publicly known information. Right.
Right. And also that layer of protection shouldn't depend on the customer service person
(13:57):
not being tricked by the scammer. Right. Right. Right. That's a little, somebody that doesn't
know you at all is fielding a call to try and determine whether you are who you say you are or
not. If this is going to happen to me, I don't like those odds, you know? Yeah. Yeah. It's,
(14:18):
well, and, and I mean, the thing is that's the way, you know, there's so many systems where
you call up and you have to prove who you are. Right. Right. Because, I mean, it's just like
logging into a website, you know, you've got to prove who you are there and they have these phone
systems and you got to call and prove who you are there. And a lot of times that's just based on,
(14:38):
been based on information and it's just, it's turned out to be, especially these days,
that's just not the greatest way to authenticate people. Right. Right. And so some, sometimes now
you have pins or other things and we'll talk about that more another day, but anyway, it's a problem
and these locks at least help with that. They can potentially, if they're handled correctly,
(15:04):
add this layer of protection that we just described. Okay. And I say potentially because
basically this key question is, in my mind, is let's say we have the locks on for our account
and the scammer calls in and somehow convinces them that they, you know, yes, I turn my locks
(15:29):
on and I can't figure out how to turn it off. Can you turn it off for me or something? Yeah. Yeah.
Are they going to, will the phone carriers, you know, are they going to decide to let their
customer service folks turn those locks off if the scammer is convincing enough? I hope not.
And it's just, it's early days, so we'll see. But I'm hopeful because the idea behind the locks
(15:55):
is simple. If they're on, then we can't change devices. We have to turn it off just temporarily
when we upgrade and, you know, that's it. But that's, it can be this layer. It is potentially
very powerful because that's a pretty huge obstacle for the hacker compared to just impersonating you
(16:19):
on the phone. It's a whole different set of things they have to do. They've got to first
hack your online account in order to turn off those locks. And assuming, you know,
you're using a good password with that account. Anyway, that's part of the premise, right? You
want to make sure that account's as unhackable as possible. And actually one thing I found in
(16:43):
the course of my research that with AT&T, for example, the lock is actually done not, it's not
associated with your online account. It's associated on the device itself within the AT&T
app. And so. Sounds like a pretty good way to go. Yeah. It ups the ante even a little bit more,
(17:04):
right? Because then they'd have to like hack your device, hack into the app kind of thing
and unlock it there. And so I'm like, hmm, that sounds really good.
The only downside to that, and I would happily take it though, is say you have your lock on and
you know, you have AT&T, you locked it inside of the app, you lose your device or it breaks.
(17:30):
Then from what I read online, you have to go into the store, show your identification,
prove who you are in person in a store, right? But that seems like a pretty good trade-off to me.
Now that I was going to say, I'd do that. I mean, if you lost your phone, you broke your device,
(17:51):
you're more likely than not going into the store anyways. Why not just have it be customary to
prove you are who you say you are while there? Yeah. Well, a lot of us, I mean, like I haven't
gone into a store in a long time. I mean, you're a little more old school on that front. Like I
hate to break it to you, buddy, because I haven't ordered a phone.
(18:15):
I've ordered my phones online for a fair while now. I order mine online. I just have gone into
the stores. That's cool. I'm just giving you a hard time. And there are plenty of people who do,
I'm sure. I mean, those stores are active, but anyway. So the main thing though,
(18:41):
I think I want to emphasize here in terms of the strength of these locks
is it's going to depend on the specific carrier. How hard are they going to make it for the hacker
to turn off these locks? And so we're just going to have to wait and see a little bit. And I
suspect that will evolve over time. But I think it seems like we're on the same page on this one
(19:07):
is there's really not a whole lot of downside to turning them on. There's very minimal initial
effort ongoing. You're already upgrading, going through the process of upgrading your phone. Yes,
you'd have to turn it off in order to do that temporarily. Adds a tiny bit to a rare event.
All in all, it's a no brainer decision in my mind. Right, right. So then let's talk about
(19:35):
how you actually turn them on. And of course we talked about their settings in your account.
So that's basically what it boils down to. But it's interesting because it varies actually
more than I expected by carrier because the rules from the FCC don't specify the name.
So they all have their own kind of brand names, including number lock, account lock,
(20:00):
SIM protection, port out protection. And then the most unusual one is with AT&T. Again,
there are standout in a number of ways. They combine the locks. You can't actually turn them
off individually. They just combine them into one that I think they called a secure account
lock or something like that. Okay. And like we talked about with them, you do it in the app.
(20:26):
And in most of them, you can do it in the app, but it's basically the equivalent of logging in
to their website and turning it on there as well. Okay. I'll probably create a post on the forum
just to break down a little bit of details, at least for the bigger companies. Yeah. Yeah,
(20:47):
that'd be good. Yeah. The one aspect that, I mean, I looked for, but I don't have an
account with all the carriers. Of course, it's harder than some, but I only have one cell phone.
But I was curious to see if any carriers turn the lock on by default. Mine, Verizon, definitely
(21:11):
doesn't. They didn't even really advertise the existence of this new lock to me. I found out
about it because I try to keep abreast of all these things, but it wasn't just like as a regular
consumer Verizon told me or anything. Right. Right. Right. And based on my general experience,
(21:31):
what little I could find, my guess is that the locks are off by default for most, if not all,
people and carriers. So you might have to check out our links to figure out how to do that.
Yeah. Yep. So the final point that I want to make is, and this goes back to the last question,
(21:57):
our last opening question is about what's our second most important online account.
And it's obviously something we haven't talked a lot about, but I want to start emphasizing more.
And that's your phone account. Yeah. You don't even actually, when you get a phone,
(22:22):
initially, you can get a phone without even setting up the account.
So I recommend not only do you set it up, but you treat it in all the ways we've talked about
with email, having a good, unique password, unique username, 2FA if you can, although a lot
of times you can't because phone is so often the 2FA, like I couldn't find mine. Yeah. So, because
(22:49):
the thing is, even though both the attacks we've talked about today and other things,
like your phone and your phone number in general are harder to take over than your email account,
yeah, it's also a lot more valuable in some ways, right? Because companies assume it's,
(23:11):
you know, they know it's harder to do that. And so it's like, it's a stronger proof in some ways.
Yeah. And, you know, if somebody got access to your phone account, they may not be able to do
some of these things. But anyway, it's, yeah, I just, the more I've thought about, the more I
consider it to be the second most important, just because it can also unlock with, you know,
(23:39):
being the universal kind of 2FA, unlock your accounts a lot as well. So coupled with email.
Right. Does that make sense? Absolutely. Yeah, absolutely. Kind of stumbled my way through that.
No, I, yeah, makes sense. The lock seems like a no-brainer. I tried to get those two locks put on,
(24:07):
you know, because like you said, it's only when you're upgrading a phone or changing carriers
that you would need to worry about unlocking it. Yeah. To add that layer of security.
Yeah. Seems. So have we reached that point in time to our call to action? Yep. Let's hear it.
(24:31):
What do you got for us? Well, you can guess it. Just go and turn on these two locks,
visit the forum post linked in the show notes for if you run into any troubles finding it,
and ask me any questions that come up. I'll also add this, that, and we've talked about
(24:52):
this kind of throughout, but I just want to emphasize the point of this episode was not to,
like, make anybody afraid. Right. You know, the attacks aren't super common. The consequences
are significant if they do happen, but more, I want to be part of the reason the attacks
don't become more common. Right. I want to make sure that if you're listening to this,
(25:14):
you're not one of those victims. Right. You know, the effort to add it, as we've talked about,
is really minimal. The money cost is zero. So just do it. Seems like a no-brainer. Yep.
Yeah. Let's not have these attacks become commonplace. Let's take care of it now. Yeah.
(25:39):
Let's stamp them out completely. Make them, you know, a thing we hardly ever hear about again,
because they just don't happen anymore. I think this is a kind of case where we really could,
ultimately. You know, we can't all do it individually, but if the carriers do their
part, I don't know. I see no reason why it can't go away entirely, ultimately.
(26:02):
Nice. So we'll see. Awesome. Well, do I get to let the listeners know a little secret?
Yeah. Tell them about the next episode. We're starting a series on home network security.
Look, this is a big deal. We've all experienced added security at work. This is exactly what
(26:27):
I thought. Like, we've all experienced that, you know. We've got different passwords or maybe
different ways of logging into things, you know, that added layer. But now we're going to talk
about your home security, your home network security. It's time we address the simple hows,
(26:47):
whats, and why we need to address our home security network, I'm guessing.
That said, don't worry. I know our master guardian well, and we're going to keep it simple. But
episode one, we will introduce a metaphor we're going to use throughout the series. So we like
using metaphors because it's simple, a little bit easier to understand. So yes, I'm pumped.
(27:14):
Hey, be ready. Home network security. Here we come. Yeah, I think. Yeah, I'm looking forward
to it. Me too. Me too. Got to do this too. Ah, I was early. Okay. That's our super simple show
(27:37):
today. If you're not a member of the IHP Academy already, please come join us for free. Stop
searching the whole internet for answers and never knowing who to trust. Ask us instead.
We made it super simple to find us and it only takes two minutes to sign up. Just visit
(28:03):
helpmegetsafe.com. Enter your name and your email. You're in. You can also find the link
in our show notes. Thank you for joining us and make it a great day. Bye bye.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com