#TechTips: 2FA Scams (a.k.a SIM Card Swapping)

By Jonathan Rivlin, CPA

As a part of the #WFH (Work From Home) movement, security — which has always been important — must take an even higher priority. And also helping our clients stay in business, keep up with all the new federal and state rules and programs, counseling a business owner through the notion that they are not “essential”…

We have a lot of compelling issues demanding our attention, and also, some of us are now teachers for our primary school-aged children.

Here’s something that will make your blood run cold: “2FA Scams.”

Many sites require “2FA” or Two Factor Authentication. The IRS requires it also.

What this usually means is that when you login to a website, that site will want to send you a 4, 5, or 6 digit PIN code via SMS to your cellphone. Some sites work with an authenticator app (Google and Microsoft each have their own app) that provides a 6 digit token that changes every 60 seconds.

That’s all well and good, assuming your cellphone hasn’t been stolen. And when I say stolen, I don’t mean as in physically.

It’s possible for your phone’s number to be ported to another device without your knowledge or consent. This is often called Sim Card Swapping.

In those cases, the thief would then receive all the 2FA notifications. And then, you’re toast; the thief then can change all your access codes, addresses, bank numbers, etc, and you’ll have profound difficulty proving this to a customer support rep over the phone.

The best way to protect yourself from this is to set either a PIN or challenge question with your cellphone provider. And here we get variations in security. Some cellphone problems don’t have this ability and their users are exposed. Others do offer this ability and provide some level of protection.

Here is a call to action: Call your cellphone provider and ask if they have the ability for the account manager to set a security PIN or password. If they do, great – set this up. If not, change companies to one that does. Here is an overview of the four major carriers:

  • Verizon – provides an ‘administrative lock’ and ‘port freeze’ feature, but you have to call in to set it up.
  • Sprint – requires PINs by default
  • AT&T – allows, but does not require a password
  • T-Mobile – prompts users to setup PINs

If you have AT&T, you need to act on this as this company appears to have the weakest security protocol.

Not only are our cellphones a vector for viruses (don’t just wash your hands, wash your phones!), but they are also a vector for identity theft. Out of all the things on your to-do list, this should be considered both urgent and important — as in, drop what you’re doing and attend to this.