I recently watched a CBC Marketplace segment called, “How hackers take over your accounts using social engineering“. It was really alarming how bad people can effectively steal your mobile phone number. These bad actors use well known social engineering tricks to deceive a customer service representative of your phone company like Rogers or Bell. Once they convince your carrier that it is you, then they can proceed to associate their own SIM card with your existing number. They can also lock you out of your account by changing your PIN and password information related to your account.
This means any security that is tied to your mobile phone, which includes many two factor authentication schemes can be easily compromised using this technique. The weakest link is therefore your phone company’s authentication process and the competence of their employee who is acting on that process. This is a very thin shield against hackers who are well versed in social engineering tactics.
Unfortunately at this point there is no known defence that I am aware of. I hope that more and more companies will deploy two factor authentication that is not solely dependent on your mobile number, because as the CBC video shows, it can be easily hijacked. Companies should deploy a mobile app that requires authentication and use the app to facilitate two factor authentication.
Others have suggested to keep your mobile number secret, but I think this is largely impractical.
Be afraid. I am.