Hacked Phone & SIM: How To Recover and How to Minimize Risk
Introduction
A friend’s mobile phone was recently hacked. The hackers then proceeded to contact their next targets using that phone’s contacts / address book. I was asked via WhatsApp to send a six digit code to allegedly help my friend with a 2-factor authentication emergency. RED FLAG!
What immediate steps should you take when this happens? How can you protect yourself? This article discusses what you should do if your phone - or a friend’s phone - is hacked, and what steps you should take to secure your mobile device now.
It is not a matter of whether phone hacking, phishing, and vishing will occur; it is a matter of when.
A Phone is Hacked
Malicious actors take over thousands of cell phones each day. It is not only inconvenient, but it can also cost you - sometimes financially and sometimes reputationally. The steps below highlight what you should do once you realize your phone is compromised and someone may have taken over your subscriber identity module (SIM) and phone number. Unfortunately, our phone numbers have become deeply sensitive personal information that can be used to upend our lives.
The Hack
The hack is simple and effective, and even tech savvy people are targets. Once one phone is initially compromised (e.g., stolen, lost, and a bad actor takes possession), the thief/hacker has access to your contacts, family photos, banking apps, etc. But this is just the beginning.
Hackers may contact everyone in the address book and present themselves as you.
The next step is simple: “Hey! Can you please share the 6-digit code for two-factor authentication I’m sending you? Thanks so much!”.
Of course, good friends and family are happy to help. But when they send the 2-factor code back to the imposter, they turn over the keys to their own phones, contacts, etc. And so the chain reaction continues.
With this 2-factor code, the hackers can even gain access to your SIM and take over your phone number. You will never know that they used it to access your bank account or any other sensitive activity that requires your personal phone and 2-factor authentication via standard short message service (SMS).
95% of cell phone hackers wear hoodies, according to most image content providers.
What Should You Do Immediately After the Hack?
If your cell phone gets hacked and your SIM is stolen, it’s important to act quickly to minimize damage and protect your personal data. These are some immediate steps you should take:
1. Disconnect Your Device from Networks
Immediately turn off your phone to disconnect it from Wi-Fi and cellular networks to prevent further unauthorized access.
2. Contact Your Mobile Service Provider
Report the SIM theft to your mobile service provider immediately. They can deactivate the stolen SIM (card or eSIM) and issue a new one.
Verify your identity using security questions or any other verification method your provider uses.
3. Change Your Account Passwords
Change the passwords of all your accounts linked to the phone number (e.g., email, banks, investment firms, social media, and especially any place where you’ve stored financial data like credit card information). This helps prevent unauthorized access.
This is where having a stand alone password manager is a lifesaver (NOT the password managers built into your web browser - you can assume those are all compromised if someone gains access to your email). More on this below.
Enable two-factor authentication (2FA) using a reputable authentication application rather than SMS. Check out Authy, Last Pass, Okta Verify, FreeOTP, Google Authenticator, or Microsoft Authenticator. Some weaknesses of these include limited backup and recovery, and cloud-based backups (security vulnerabilities).
4. Monitor Your Accounts for Suspicious Activity
Keep a close watch on your bank accounts, email, and social media accounts for any signs of unauthorized activity.
Report any suspicious activity to the relevant institutions (e.g., your bank).
5. Inform Your Contacts
Notify your contacts that your phone and SIM were compromised. This can help them avoid falling for any potential scams using your number.
It may be a bit embarrassing, but you are a good human for doing this.
An effective method: post a short personal video on social media and share it among your community of friends - quickly warn people that your phone was recently compromised and ask them to be skeptical if they receive a message from you asking them to do something out of the ordinary.
6. Secure Your Device
Run a security scan using a reputable antivirus or anti-malware app to detect any malicious software on your phone.
Consider performing a factory reset on your phone to remove any potential malware. Ensure you back up important data before doing this.
7. Report to Authorities
Depending on your level of outrage, you may file a report with local law enforcement. One advantage is that this may help in case of identity theft or further misuse of your personal information.
Report the incident to the Federal Trade Commission (FTC) or relevant consumer protection agency in your country.
8. Check Your IMEI
Verify the International Mobile Equipment Identity (IMEI) of your device on the official IMEI check website to see if it’s been reported stolen.
9. Get a New Phone Number
If you believe your phone number is highly compromised, you should get a new phone number from your mobile service provider.
What Can You Do to Lower Your Risk Profile?
1. Secure Your Phone
Review your phone’s security settings and update them to enhance protection, such as enabling biometric authentication (fingerprint or facial recognition). Designed with privacy in mind, Apple ensures these biometric markers reside only on your phone and are encrypted.
Your passcode, alongside face or fingerprint unlock, is what encrypts your phone. Therefore, it should not be “0000” - seriously. A best practice is to use an alphanumeric (letters and numbers), but you must weigh the risk v. convenience.
2. Delete Unused Apps
Zombie apps waste storage space.
They also create potential security vulnerabilities if they are not updated regularly.
Finally, unused apps may introduce privacy issues if they share your personal data.
For Android, open the Play Store, select the hamburger menu in the top-left corner, tap My apps & games > Installed > Alphabetical, and change the list to Last Used and remove any apps you don’t use.
On an iPhone, select Settings > General > iPhone Storage.
3. Conduct an Annual Privacy Audit
At least once every trip around the sun, go through your smartphone settings and review permissions for your apps.
For Android, select Settings > Privacy > Permission Manager and ensure apps do not access permissions, such as location services or the microphone, that don’t correspond with how you use them.
For iOS devices, select Settings > Privacy.
4. Defend Against SIM Swapping
Most mobile carriers offer some level of protection against SIM swapping, in which the hacker gains access to your accounts by activating a new phone with your mobile number.
T-Mobile: Activate T-Mobile’s Account Takeover Protection service. If you have multiple phone lines on your account, you must enable this feature for each line.
AT&T: In your AT&T account click Account Profile > Sign-In Info > Wireless Passcode > Manage Extra Security. Here, you can select another passcode that is required to change certain settings.
Verizon: You can set up a PIN to protect against unauthorized SIM transfers. Without the PIN, it is impossible to transfer a number to another carrier or phone. Dial *611 to speak to a representative to set it up. You can also add the PIN on your account page.
5. Start Using a Third Party Password Manager
This is essential personal data protection 101. Everyone should use an independent password manager. No password should ever be repeated.
Password managers help you create unique and complex passwords quickly and easily. Adequate entropy for passwords still requires 15 or more characters. I prefer to break my password into four or more short words, adding numbers and special characters, as well as certain themes, which help me quickly identify whether a password is not mine. For a visual, please see this iconic xkcd cartoon.
For extra security, use a password manager that is disconnected from the internet, including any cloud service. A locally stored vault of encrypted passwords is less convenient, but more secure. Some may value convenience over extreme security. I prefer KeePassXC. For mobile I use and recommend Strongbox.
6. Place a Security Freeze on Your Credit
A security freeze on your credit, combined with using a password manager in the previous step, can significantly reduce your risk of identity fraud-related crime.
Freezing your credit is now free - at one time the credit reporting agencies made us pay for this service, or we had to file a police report claiming identity fraud in order to waive the fees.
Although credit reporting agency websites are still shamefully poor at facilitating a “temporary thaw” to unfreeze your credit when you apply for a loan or a new line of credit, that pain is far less excruciating than having someone steal your identity and go on a shopping spree.
7. Educate Yourself and Stay Vigilant
Educate yourself about phishing, vishing, and other common tactics used by hackers.
Stay vigilant and cautious with any suspicious messages or emails you receive in the future.
Conclusion
If you want more information about how to protect yourself online, please reach out for a free consultation. 1GDPA helps not only businesses, but also individuals who, for many reasons, may need to present a lower public profile. 1GDPA supports the data protection and privacy needs of people who have survived abusive relationships, threats to their families, and other exigencies that demand strong protection of their personal data.
Sources
New York Times, Simple Online Security: Secure Your Smartphone
