Why Your Phone Number Is Valuable to Hackers
, by Karin Tansey
Last time we met, I explained why your email account is valuable to hackers-what value it has and how it could be used to gain access to more of your coveted personally identifiable information (PII) than you might think. But it's not just your email that hackers want; they want your phone number, too. How can your number used for identity theft? Read on.
Cell phone numbers are particularly valuable, as they have become the modern-day equivalent of your wallet. Your mobile device contains valuable information like your contacts list (a great way to get a list of your friends-future identity theft targets), affinity account and reward numbers (frequent flyer miles have a value that thieves can cash in on), web history and other equally valuable information. To get your phone number, two tactics are commonly deployed. Let's see them in action and how they play out. To click or not to click? That is the question.
- SMISHING: This tactic is used to send a hyperlink to a mobile device in the hopes that the user will click it, invariably launching some sort of malware directly onto the device. But nobody clicks on links received from users they don't recognize, right? Riiiiight (note heavy sarcasm here). Unfortunately, piggybacking on top news items like the latest Kardashian shenanigan or a major sporting event like the World Cup or Super Bowl, people still do what they know they shouldn't and click away. It's even easier if the hacker manages to convince you that the URL is coming from someone you know.
Hackers often have this information because, well, they're hackers. They hack. Nefarious evil-doers can use cell phone numbers they've obtained from data leaks resulting from attacks like the SnapChat and Target hacks to send mass text messages to people with websites obscured by shortened URLs (for example: it can make http://www.IMHackingU.com to look like http://tiny.ae93al.com/) making it nearly impossible for anyone to really know what they are clicking on and where they are going to end up.
Imagine that you're a Target customer and receive the following text message from an unrecognized phone number, what would you do? "Target Corp. Security - Due to the recent security breach, all users are encouraged to go to http://tiny.ae93alk.com to securely reset your password." As we've learned in the wild, wild, Internet frontier, it only takes one mistake-one click-to send you to the equivalent of a digital "pokey". URLs disguised in this manner are the perfect avenue to install malware or viruses on your smartphone with you being none the wiser.
- VISHING: This is the technique used by fraudsters to "phish" (solicit and obtain critical information) from you via voice communication. Essentially, they social engineer their way into your trust level to make you believe they are trustworthy in order to obtain critical and personal information needed to carry out their evil doings. This works because they sound nice, are pleasant and polite and are able to engender your trust over the phone.
Using technologies like Spoofcard, or by simply routing the call through their own Automatic Number Identification (ANI) masking tool, fraudsters can trick the caller ID functionality of your phone to display a fictional incoming phone number. This amazingly cheap technology allows people to pretend to be anybody-from a representative of a company with which you are affiliated with to a trusted business associate's secretary-in order to convince you to hand over your user ID, password, date of birth or Social Security number. They'll call you and claim to be from your bank (they just need your account number and routing information), the IRS (just to confirm your Social Security number) or even Microsoft (just let them log into your PC remotely) to try to gain access to your personal or financial information or even install malware on your devices.
Imagine this scenario: ` VICTIM: Looks down at phone's caller ID that says 800-123-4567 "Hello?" BAD GUY: "Hello. This is John Smith from XYZ Card Services - Security Division. Due to the recent security breach, we've identified that your account was compromised. For security purposes, before I can continue this call, I need you to please confirm your date of birth and Social Security Number." VICTIM: "Oh..yeah, I heard about that. Sure. May 1, 1983 and 123-45-6789."
So, how do you safeguard against these tactics? Get antivirus for your mobile device. I know, you were expecting me to say "Do not click on hyperlinks on your mobile devices," right? Look, most of us already know this and do it anyway, so rather than dispersing the "don't do that" advice, I propose the "do this instead" method. Make sure you have some sort of anti-virus software running on your phone. There are plenty of options available nowadays from renown security vendors like AVG, McAfee, eNod, etc. It can't protect you against everything-nothing can-but it can at least help.
Don't ever give out or confirm personal information over the phone. Unless you are initiating the phone call to an established phone number that you trust and can confirm. Major companies and financial institutions usually have policies that prohibit them from making outbound calls and asking customers to "validate" secure and personal information. If you're unsure, ask if you can call the representative back using the number on the company website. Stop giving out your phone number. If you want to enable people to contact you, even though you just met them, consider getting an alternate number that can automatically route calls and text messages to your real mobile phone number. Google Voice happens to be a free service and one that I enjoy every time I post items for sale on craigslist.org. These are just a few steps you can take to better protect yourself, but in general, just be cautious about sharing your personal information.
What tactics do you use to protect your information and devices?
Karin Tansey is the Senior Director of Product Management at myFICO and an online security expert.