If you're at all savvy about online security, you already know to be cautious about sharing personally identifiable information. You think twice before you post your birth date to social media, or tell people your street address or your mother's maiden name.
But there's one piece of personal information you can't avoid giving out--your mobile phone number. Without it, no one would be able to contact you. Whenever you buy anything online, subscribe to a new service, meet a new friend, or sign up for any kind of text notification, it's something you inevitably share.
It turns out that, in the wrong hands, that simple piece of information can be used to steal your identity and take over nearly every online account you have. And it's surprisingly easy for hackers to do just that in a simple two-step process:
Step 1: A hacker who's found out your cell phone number and one or two other bits of information, such as your address and date of birth, contacts your mobile carrier provider claiming to be you. The hacker tells your carrier to "port out" your number to a different phone--one in the hacker's possession. If your provider asks questions such as your address and date of birth to confirm this is you, the hacker will answer them correctly. Soon the hacker has switched your phone and is able to receive calls and texts intended for you. (You will probably continue receiving calls and texts as well, so you may have no idea that anything has changed.)
Step 2: The hacker next logs into your email account. Whoops! The hacker doesn't know your password. But that's OK. The hacker can tell your email software that he or she "forgot" the password and have a reset sent to "your" mobile phone. You've probably given your email provider your mobile phone number as a backup in case you ever forget your password, in which case this is a pretty easy step.
Once the hacker has access to your email account, it's easy to gain access to any of your other accounts--just click "Forgot Password" and wait for a password reset link to arrive in what was once your email. If you have two-factor authentication enabled on any of your accounts, the secret codes will be sent to the hacker at "your" phone number. He or she can even gain access to your bank accounts, and if the hacker calls the bank, their caller ID will make it look like the call is coming from you.
Are you scared yet? You should be. This is not a theoretical security flaw. There are real live hackers using mobile numbers to access people's accounts right now. Millions of dollars in bitcoin and other cryptocurrencies have been stolen this way already. It even happened to TechCrunch writer John Biggs, who was locked out of all his online accounts in the space of half an hour. Cryptocurrency owners like Biggs are primary targets because transactions in cryptocurrency can't be reversed, so it's easier to get away with it, and easier to spend the money without being tracked. But it could happen to anyone any time.
So what can you do about it? Actually, there's a pretty simple way to prevent it. Let your mobile carrier know that you want to add an extra layer of security or password to your account, something you can often do online. (Scroll to the end to see how to add extra security to AT&T, T-Mobile, Verizon, and Sprint accounts.) You may also want to simply call your carrier and ask them to enable this extra protection. Once it's in place, anyone who tries to make changes to your mobile account, such as switching it to a different phone or SIM chip, will need to provide this password first, effectively preventing anyone who doesn't know the password from stealing your phone number and all that goes with it. It's a small extra effort that can give you a lot of peace of mind.