Mobile Security Factors to Protect Your Phone from Criminals

Your phone is not as secure as you think. There are lots of ways for hackers, criminals, and even opportunistic amateurs can get access to the information on your phone. And with a technique called SIM swapping, they could even steal your entire phone account – meaning your phone number and all your data is now in a criminal’s hands. And SIM swapping can let criminals get through your two-factor authentication, putting your money and accounts at risk. If you haven’t been thinking about your mobile security, it’s time to start!

See Preventing SIM Swapping Scams with Mark Kreitzman for a complete transcript of the Easy Prey podcast episode.

Mark Kreitzman has been in cybersecurity since before it was called cybersecurity. He joined his first security company in 2002, and has been building companies to defend against evolving cyber threats ever since. One of his companies was bought by Microsoft and became part of its cloud-based email security. Another was acquired by Cisco Systems as part of their web security solution. He’s spent the last seven years focused specifically on mobile and phone security. His current company is Efani, a mobile security service.

Why Mobile Security Matters: A Personal Story

One of the reasons Efani exists in the first place is because Mark was the victim of a mobile security incident. In 2017, he had a startup in the cryptocurrency space. One day, he was driving through the Arizona desert between Tucson and Phoenix when his mobile service vanished – not just no bars, it was completely gone. There was nowhere he could stop and find a phone to do anything about it, so he just kept driving. The whole way, he hoped that his service had stopped because he hadn’t paid his bill. But he knew he had it on auto pay.

Once he arrived at his destination and his phone connected to the wifi, six different password reset notifications popped up. He had been SIM swapped – someone had stolen his mobile account. They then used his verified phone number to get into a crypto account, a bank account, a cloud storage account, and an email. Interestingly, they only stole his account for 61 minutes. After that, they ported it back to his phone.

For months, Mark was afraid to sleep, travel, or use wifi in case he didn’t notice he’d been SIM swapped again. Then he got angry. His account was set up that the only way to make changes was for him to show up at a store with two forms of ID. He had all this experience and knowledge in cybersecurity, but all it took to do this to him was one employee at a third-party retail store lying about Mark being in front of him. Mark actually dropped his crypto project. Instead, he connected with the one person who claimed to have solved this mobile security issue. Together, they founded Efani to stop it from happening to other people.

How Mark Got SIM Swapped

It took a lot of work for Mark to actually figure out what was going on. Carriers don’t like to talk about these incidents. The first person he talked to, right after the event, checked the account and discovered that the attacker had ported the account back after 61 minutes. But it was hard to get more information.

When you get SIM-swapped and the carrier recognizes you got attacked, they go into liability protection mode. … [They] won’t tell you anything.

Mark Kreitzman

They gave him an 800 number. But when he called, they said the line was only for police. The police didn’t want to get involved because Mark couldn’t prove the criminal was local. When he eventually did convince one to call, they were told they needed a subpoena. Lawyers said that nobody would bother getting him a subpoena since he didn’t lose more than $200,000.

Eventually, Mark had to trick the carrier to get the answer. He went into a retail store and told the employee a story. He said he’d been traveling and lost his phone, so he stopped at a third-party store to buy a new phone and get his number ported to it. Then he found his phone, so he went back asked the employee to port the number back. He wanted to send them a card, but he couldn’t remember their name or where the store was.

The employee there looked up the transaction and gave Mark an employee ID. From that ID, Mark managed to actually find the person. Then he called the carrier and said he had the name and ID of the culprit. They finally told him the truth. It was that employee’s last day, and he SIM swapped three people. Mark was just one of the unlucky victims.

The Mobile Carrier Industry is Bad at Security

It sounds crazy that one disgruntled employee at a third-party retail store would be able to override Mark’s verification requirements to commit this crime. But it really is that easy. If you can get approved as a retailer, you get access to mobile carriers’ portals. And with those portals, just a few pieces of information is enough to port someone’s number. You don’t even have to know anything about them. It’s easy and convenient for the customer because they can change their mobile carrier easier. But it means mobile security isn’t great.

Carriers try to prevent this from happening, but sometimes criminals can become retailers through fraud. Then they send out a promo to thousands of people promising a great deal on their next few months of wireless service if they switch now. People try to take the deal, but they actually get SIM swapped. They don’t know that this is a fraudulent carrier only planning to be open for a day or two.

If people knew how open mobile was, they would definitely use their phones a little bit differently.

Mark Kreitzman

The Evolution of Mobile Security Risks

The first people targeted though mobile security issues were celebrities. When a celebrity has their photos stolen from their cloud storage, it’s most likely due to a mobile security attack. It started off as mostly harassment or blackmail. But when banks started using phone numbers for verification, the criminals started targeting high-profile people for their money. They would also hold social media accounts for ransom and all sorts of things.

When crypto became a big thing, these criminals started doing SIM swapping to access their crypto. A lot of people who invested in it didn’t know anything about security, so they were sitting ducks. Some didn’t even realize their accounts had been stolen.

There are also some more recent developments that have changed the game. Before eSIMs, a hacker could only port one number at a time, and that SIM card could actually be blocked at some point. But these days, an iPhone 15 has two eSIMs and each of those can handle eight eSIM lines, although only two can be active at the same time. With just one phone, hackers could SIM swap sixteen people, delete those, swap sixteen more, and keep going indefinitely.

How Data Breaches Affect Mobile Security

The other thing that’s changed is data breaches. Travel bureaus, government databases, hospital systems, even the carriers themselves have been breached. If your information is exposed, they probably have your name, phone number, and email, at the very least. And AI search tools can do a lot of damage with that. Even outside of the criminal, there’s a sales tool on LinkedIn that will let you filter people very specifically. And that tool comes up with a lot of related elements.

Mark had someone run that tool on him. It came up with four different emails, two of which he forgot he had, three old landlines, and an assortment of mobile numbers, some of which were old and some of which were current. One of the emails was a super-secure one that he didn’t think the tool should have been able to find. These AI search tools can take just a little bit of information and use it to target you really effectively.

Companies don’t always admit when they have data breaches. When they do, they’ll often say that you should be careful, but don’t worry too much, because they have it all under control. They want you to relax and not be concerned. Because it’s highly unlikely that criminals will use your data right away. And if they’re reassuring enough and convince you to relax and forget about it, when you’re SIM swapped or there’s a new loan in your name, you won’t even think to trace it back to them

Anytime these companies have a data breach … they want you to sit back, because nine months from now when you get SIM-swapped or there’s a loan taken out in your name, you won’t be able to link it back to them.

Mark Kreitzman

Warning Signs of SIM Swapping

It’s great to know what mobile security risks are threatening our phones. But if you don’t know what to watch for, you won’t know if it’s happening to you. And the sooner you can react, the sooner you can do something.

The biggest sign that you’ve been SIM swapped is that your phone has no network. This is different from no service. If you’re in a patch of bad reception or gone out of your coverage area, you won’t have service, but you’re not SIM swapped. If you’re traveling internationally, you may have no service, but you still have a network (even if it’s far away) and aren’t SIM swapped.

If you have one bar showing then you’re not SIM-swapped.

Mark Kreitzman

When you should be worrying about your mobile security is when you get an error you’ve never seen before. It will probably say something like “no network detected” or “no carrier available.” What that means is that your phone doesn’t recognize it has a carrier SIM anymore. It may physically have the SIM or the eSIM in it, but the account has been removed and ported to another SIM on another phone. If you see any error like that, it’s time to call your carrier and make sure.

How Efani Protects Your Mobile Security

Any SIM swap has someone with the carrier involved. They may be in on the scheme, or even the only person doing the scheme, as with what happened to Mark. But they could also be unknowingly involved. Criminals often use social engineering to trick carrier employees into helping them commit their crimes. But however it’s done, it requires an insider.

A SIM swap requires an insider. That insider can be part of it knowingly, or they could … have been tricked.

Mark Kreitzman

Efani is set up as a retail seller for AT&T and Verizon. But once you port your number to Efani, they are your mobile service provider. And they lock your mobile service down for the best security. Once you’re locked down, another carrier can’t use their portal to pull you out. They’d have to call and talk to a real person at Efani, and that person can make sure it’s really you trying to make this change. And none of your data will show up on the retail stores’ portals, either. If you have AT&T through Efani, you can walk into an AT&T store, show all your ID, and ask a question about your account, and they won’t be able to see it.

All of this is by design. They’re reducing the number of people who can see your information or change your account. Therefore, they’re reducing the number of people who can be social engineered or bribed and the number of potential criminals who can wreak havoc with your information. By eliminating all that access, they can put most of their security budget into making sure their systems are safe from hackers, increasing your mobile security even more.

Protect Your Privacy and Security on Mobile

In addition to protecting your mobile security, Efani also wants to protect your privacy. They don’t do freebees like the free Netflix, Hulu, or Disney+ subscriptions that some carriers give out. Anyone who does that is selling your data to that company. Any third parties involved can collect your data.

If you’re worried about data being collected, it’s way beyond what anybody realized.

Mark Kreitzman

And it’s not just your carrier who puts your mobile privacy and security at risk. Many people assume that carriers own their own cell towers. They don’t. There are 107 cell tower providers. Carriers are just paying for space on those towers. Each of those is another company that could potentially have your data. And with your device, there are chips, apps, the operating system … it takes a lot of vendors to make a text or phone call happen. And all of them have the opportunity to collect your data.

The best think you can do is to have an antivirus and make sure you’re using a VPN. Be careful how you use your phone and what links you tap. Be careful of data breaches, especially if your information is part of it. When traveling, turn of settings like Airdrop and Bluetooth. And never let your wifi automatically connect – it could connect to a malicious network by accident. These are all steps you can take to improve your mobile security.

Learn more about Efani, what they do, and different types of hacks on efani.com or on their YouTube channel. If you’re interested in using Efani to protect yourself, sign up at efani.com/whatismyipaddress for a $99 discount.