In perhaps one of the most audacious advertising campaigns in the history of personal security technology, LifeLock Inc. Chief Executive Todd Davis famously gave out his Social Security number in commercials that seemed to run on a loop on broadcast and cable television throughout the mid-2000s. Davis even went so far as to put the number on the side of panel trucks that drove through major cities, and then filmed this stunt as a commercial that was re-broadcast on those same networks.

The implication was that Davis didn’t care who had his Social Security number because he was so well-protected by the identity theft monitoring and security offered by LifeLock.

That was until Davis’ identity was stolen at least 13 times. Most of us might like to think that we would be smart enough not to publicly broadcast our Social Security number, no matter how strong we think our identity protection services might be, but we often freely give out a number that can wreak as much havoc as our Social Security if it ends up being compromised: our phone number.

In tandem with a few other personal details, including the specific mobile telephone carrier tied to your number, hackers and identity thieves can steal money from your financial accounts, lock you out of other vital online accounts, and otherwise turn your life upside down and turn it into a living hell. Almost every web service, from personal banking to Google’s Gmail, PayPal, Cash App, Amazon, eBay and Instagram, relies on some form of two-factor authentication tied to one’s often very publicly available mobile number.

Think of the worst email or photo that you’ve sent to someone, or even the worst photo that has been uploaded in the background by your cloud service of choice. SIM swapping doesn’t need much technical proficiency, just a little web search and social engineering 101, to access just about any account connected to your phone through two-factor authentication.

Network lag

The only reason your own identity hasn’t been compromised or your privacy violated in a SIM swap attack like, say, Jack Dorsey’s or Justin Bieber’s, is because, unlike a celebrity or a famous holder of cryptocurrency, you simply haven’t been identified as a valuable target… yet.

You might be a target sooner than you think. The FBI says SIM swapping is increasingly becoming a more popular means of cyberattack. The attacks are sure to proliferate beyond even that and, as with any successful criminal enterprise, not only will the number of attackers increase, but also the diversity and number.

Like any other industry, it is easier for large mobile carriers like AT&T, Verizon and others to put their heads in the sand, opt for the status quo and deal later with whatever fallout might come from adopting the least proactive strategy.

The industry has long been warned about this danger. In October 2019, Michael Terpin, who along with Jack Dorsey is probably one of the most notable people to be the subject of a SIM swap attack, wrote a letter to the FCC urging changes such as moving away from PIN-based solutions and porting, along with limiting access to those PINs that’s currently granted to entry-level and even temporary employees.

It took the FCC two years to say it would require mobile carriers to adopt more secure porting authentication. Since that time, in October 2021, there have been no further updates. It won’t be difficult for even the least sophisticated of criminals to stay a few steps ahead of regulators and legislators who are working at their usual glacial pace.

More conscious carriers and more vigilant users

So what can we do about the problem independent of far-off government relief?  For one, mobile carriers themselves have to start taking this problem more seriously. On their side, that means putting user privacy at the forefront and moving away from poor security “solutions” such as short PINs that are easily compromised, often by the carriers’ own employees who see a bigger payday in secretly abetting criminality than in collecting a minimum wage. Perpetrators of these attacks are willing to pay $20,000 a month to insiders who will facilitate their attacks, so they have found an abundant supply of co-conspirators.

Users can be proactive too. For those who might be worried they can be a target, though turning on two-factor authentication is always better than not turning it on, it is worth using an alternative to your mobile number as the second factor, such as a physical security key (look for FIDO2 U2F keys) or using a secondary device solely for authentication.

More secure wireless services are coming to market soon, so keep an eye out for them. Needless to say, it also behooves users not to give out their mobile numbers when they don’t have to, while also removing whatever traces of said mobile number might exist online, as much as is possible. Google has recently committed to making this easier.

More than any of these single suggestions, though, we need to have a whole new mindset around security, protecting the mobile numbers that control almost every aspect of our online life and using two-factor authentication that is at least as strong as the first factor (hopefully a password better than “password” or “123456”). Thankfully, some web services are moving away from SMS-based two-factor authentication, as Twitter did shortly after the Twitter hack.

It might be too late for LifeLock’s Todd Davis or Jenny at 867-5309, but it doesn’t have to be too late for you to take very easy and potentially very necessary steps to avoid becoming a victim.

Jonathan Wilkins, CEO of secure wireless service provider Cloaked Wireless, is a 26-year veteran of the information security industry and an expert in offensive and defensive techniques. He wrote this article for SiliconANGLE.