My Mom just had her phone number and email account stolen

I just asked T-Mobile for a port-out PIN, and it gave me one that says it expires in four days. What good is that?
 
Thanks for the PSA.

I had a chat with my wireless carrier, Red Pocket Mobile, after I couldn't figure out how to get or set up a port PIN.
A friend's mom recenty had her cellphone number ported to a fraudster's cellphone where it was used for 2FA to access financial accounts, etc. How can I prevent that from happening with our Red Pocket phone lines? I've heard about a separate port pin and port blocking.

I am sorry to hear that. RedPocket Mobile has proper security protocols to avoid unauthorized port-out of the account. You have the option to obtain your account number, transfer PIN, and port protection. Additionally, we are not allowed to provide any information without verification from the customer. If the customer can't verify the account, we have the right to decline the request. We can assure you that the accounts are secured on our end.​

Ok, that's comforting. So to be clear, if a fraudster obtained my email address, DOB, cellphone number and cellphone unlock PIN they couldn't port my number to a phone that they control?

That is correct. We can't release the phone number to a new carrier without a proper verification from the customer. We need to make sure all of the information are accurately.​

Ok, thank you!​
Click to expand...
 
Lorenzo said:
I just asked T-Mobile for a port-out PIN, and it gave me one that says it expires in four days. What good is that?
Click to expand...
Only guessing but I think that means that your port out is already locked and they gave you a pin to use thinking that you wanted to get your number ported to another phone/carrier. See my post above (#17). Go into your T-Mobile account and make sure the SIM protection is on. If you are not sure, call them back.
 
Jerry1 said:
I just did this at T-Mobile and it's a little different. I had to go into my account and turn on SIM protection. Similar to locking your credit report. I'd have to log into my account to turn it off if I get a new phone. I'm goo with that. I don't understand why having it locked isn't the default. When I went in, SIM protection was off.
Click to expand...
When I was checking my account settings I noticed that you can add an authenticator app for confirmation. Maybe that means something that a cell company doesn't trust phone 2FA. In the olden days when I got my T-Mobile account they had you set a 6 digit PIN to confirm your identity. The few times I called they let me around the pin by asking something like my dog's name. :)
 
RetMD21 said:
The few times I called they let me around the pin by asking something like my dog's name. :)
Click to expand...
That's pathetic. Based on the sophisticated nature of my mom's scammers, Im pretty sure they know her dog's name. They've pinged me several times already.
 
48Fire said:
That's pathetic. Based on the sophisticated nature of my mom's scammers, Im pretty sure they know her dog's name. They've pinged me several times already.
Click to expand...
You don’t need to use your real dog’s name. For sites that still do the three questions, I give nonsense words and save them in my password manager. The only site that I have found the restricts your answers is United Airlines.
 
RetMD21 said:
When I was checking my account settings I noticed that you can add an authenticator app for confirmation. Maybe that means something that a cell company doesn't trust phone 2FA. In the olden days when I got my T-Mobile account they had you set a 6 digit PIN to confirm your identity. The few times I called they let me around the pin by asking something like my dog's name. :)
Click to expand...
Consider this: You have phone 2FA enabled and then, you lose your phone. Now you can't get into your account to transfer your number to a new phone. If you have the authenticator app, in my case the Google app, you can retrieve the authenticator code on another device to access your account.
 
Turbo29 said:
Consider this: You have phone 2FA enabled and then, you lose your phone. Now you can't get into your account to transfer your number to a new phone. If you have the authenticator app, in my case the Google app, you can retrieve the authenticator code on another device to access your
Click to expand...

Turbo29 said:
Consider this: You have phone 2FA enabled and then, you lose your phone. Now you can't get into your account to transfer your number to a new phone. If you have the authenticator app, in my case the Google app, you can retrieve the authenticator code on another device to access your account.
Click to expand...
Thanks, I'm looking into things like that. Is this essentially 3-factor authorization?
 
Turbo29 said:
Consider this: You have phone 2FA enabled and then, you lose your phone. Now you can't get into your account to transfer your number to a new phone. If you have the authenticator app, in my case the Google app, you can retrieve the authenticator code on another device to access your account.
Click to expand...
Are you sure about this? My wife has an authenticator for her school email. When she got a new phone, the University IT department said the app was tied to the phone and they had to start the process all over again. She couldn’t access the email without the original phone.
 
frank05 said:
You don’t need to use your real dog’s name. For sites that still do the three questions, I give nonsense words and save them in my password manager. The only site that I have found the restricts your answers is United Airlines.
Click to expand...
I use randomly generated PINs as my answers. The answers stored in a local password manager so I don't have to write down on a piece of paper ;) .
 
frank05 said:
You don’t need to use your real dog’s name. For sites that still do the three questions, I give nonsense words and save them in my password manager. The only site that I have found the restricts your answers is United Airlines.
Click to expand...
+1. One of my favorite questions is "Name of your pet." I usually give it something that is not associated with a pet or any pet for that matter.
 
COcheesehead said:
Are you sure about this? My wife has an authenticator for her school email. When she got a new phone, the University IT department said the app was tied to the phone and they had to start the process all over again. She couldn’t access the email without the original phone.
Click to expand...
I have two separate phones in front of me as I type this, both with Google Authenticator, and both Authenticators show an entry for T-Mobile with the same code displayed.

Edit to add: I think if you only had one set up in advance and that device was lost or otherwise not functional there might be a problem setting it up on a second device later.

Here's what Google says about it: Get verification codes with Google Authenticator - Android - Google Account Help
 
Turbo29 said:
I have two separate phones in front of me as I type this, both with Google Authenticator, and both Authenticators show an entry for T-Mobile with the same code displayed.

Edit to add: I think if you only had one set up in advance and that device was lost or otherwise not functional there might be a problem setting it up on a second device later.

Here's what Google says about it: Get verification codes with Google Authenticator - Android - Google Account Help
Click to expand...
I guess you are safe then. It didn’t work that way for my wife. It would only send a code to the specific phone.
 
COcheesehead said:
I guess you are safe then. It didn’t work that way for my wife. It would only send a code to the specific phone.
Click to expand...

I will add that my brokerage uses Symantec VIP for authentication. It doesn't work like Google Authenticator. If you have Symantec on separate devices they show different code numbers. My brokerage does allow for more than one to be registered to my account so that allows me to have a backup. I have heard that some other brokerages only allow one to be registered, which would leave one without a backup if something happened to the phone.
 
Turbo29 said:
Consider this: You have phone 2FA enabled and then, you lose your phone. Now you can't get into your account to transfer your number to a new phone. If you have the authenticator app, in my case the Google app, you can retrieve the authenticator code on another device to access your account.
Click to expand...
I think you can transfer your number to a new phone if you lose your phone. I would just need to call the provider, answer 20 questions proving that it is really me, and then they do it.
 
Lorenzo said:
I just asked T-Mobile for a port-out PIN, and it gave me one that says it expires in four days. What good is that?
Click to expand...
That's something different. What you want to do is log into your T-Mobile account (webpage or app) and find two toggles, one locks your SIM(s) and the other locks your number(s). I just turned both on in my account. There is no separate PIN, you're dependent on the primary account holder's password (to get logged into the T-Mobile account) for security. Any authorized user can turn these features on but only the primary account holder can turn them off when you actually DO want to port a phone or change a SIM.
 
Turbo29 said:
Consider this: You have phone 2FA enabled and then, you lose your phone. Now you can't get into your account to transfer your number to a new phone. If you have the authenticator app, in my case the Google app, you can retrieve the authenticator code on another device to access your account.
Click to expand...
Luckily all our financial institutions allow two 2FA numbers so we'd only be in real trouble if we lost both phones.
 
engineernerd said:
Luckily all our financial institutions allow two 2FA numbers so we'd only be in real trouble if we lost both phones.
Click to expand...
My Mom and Dad had two phones, plus mine as a third backup, all with 2FA. All of the scamming took place while we were sleeping.
 
48Fire said:
My Mom and Dad had two phones, plus mine as a third backup, all with 2FA. All of the scamming took place while we were sleeping.
Click to expand...
Yeah, pretty scary. Thanks a million for sharing here. My T-Mobile account is now set to block SIM-swapping and port-out fraud. And I'm thinking of a better account password than the not-awful-but-could-be-better one I have now.
 
I have also begun looking into security weaknesses more generally at my financial institutions. A topic of great interest is what it takes to reset my password. The strongest password imaginable is useless if they make it easy for a scammer to reset it by claiming "I" forgot it.
 
engineernerd said:
I have also begun looking into security weaknesses more generally at my financial institutions. A topic of great interest is what it takes to reset my password. The strongest password imaginable is useless if they make it easy for a scammer to reset it by claiming "I" forgot it.
Click to expand...
1,000% and if they've already ported your SIM, they're minutes from stealing everything
 
kgtest said:
.... They somehow compromised outlook, then added an email alias to the hackers account that instantly gave them full access to all my email history on my server. Decades of accounts.

Password resets commenced by hacker via 1 link sign-ons where they could. ...
Click to expand...
Can you explain this? I don't understand the "added an email alias to the hackers account". I use gmail - could this happen to me, and how would I know?
 
Once they get the 2FA code, they boot you off as "alternate email", then they add themselves. Happens in 3 minutes. You may get the "If this wasn't you...." message. But by then, it's too late
 
- enable sim swap protection and account takeover protection on your cell phones
- if you are getting spam and phish email in your inbox, consider a new email address with a better spam filter. I find Gmail has a good spam filter
- if your email is on this site consider getting a new one :
haveibeenpwned.com

Have I Been Pwned: Check if your email address has been exposed in a data breach

Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.
haveibeenpwned.com haveibeenpwned.com
- consider having separate email / emails that you only use for important accounts like financial accounts
-email like Gmail has an authenticator. Use it.
- use a password manager and accept its default created passwords
- for phones use filter unknown callers setting
- for texts use filter unknown texts. Consider text filter like “Junkman” app (unfortunately this app just became a paid one )
- freeze credit at major agencies

If one has a very vunerable senior, there is a pc app called “seraph secure” that can protect against scammers taking over someone’s PC. I put it on my moms pc and it eventually did alert me that a scammer was attempting to log into my moms pc. I called my mom and was able to interrupt the hacker.

Also see

Keeping Vulnerable Loved Ones (and Yourself) Safe from Fraud — Oblivious Investor

obliviousinvestor.com obliviousinvestor.com

What Does a Thief Need to Access Your Financial Accounts? It’s Likely Less Than You Think — Oblivious Investor

obliviousinvestor.com obliviousinvestor.com

Phishing Software as a Service — Oblivious Investor

obliviousinvestor.com obliviousinvestor.com
 
Last edited:
You must log in or register to reply here.

Similar threads

S
Help me help my mom.
2
pb4uski
pb4uski
Kings over Queens
PSA - Zelle Scam
2
swakyaby
swakyaby
Amethyst
New hack tactic? Someone bought Amazon (electronic) gift cards using my Amazon credit card, and the cards went to me!
2 3
audreyh1
audreyh1
A
Locked out of account
2 3 4
almost there
almost there
NeilDH
Wire transfer scam via hack of contractor's email
Spock
S

Latest posts

Back
Top Bottom