Security Tip: Switch away from texting for identity verification

These days many people rely on receiving text messages to login to websites. It's typical to receive a code via text message that you punch in to confirm you're the account owner. That's great in theory, but in reality texting is one of the least secure methods for sending information. This is due to a scam called "SIM Swapping," which allows scammers to redirect text messages to their own phones by posing as the owner of your cellular account. If you can imagine the temptation of a cell phone store employee to sell a new phone (and make a commission) when a person walks in and offers cash to buy a phone and connect it to "their" account, you can see why these scams can succeed. Even new FCC rules have not yet stopped the scammers.

Luckily, there are several straightforward steps you can take to bolster your protection.

1. Download your cellular carrier's account management app to your phone, and make sure to log in. Typically the app will notify you when a change is made to your account, so that you can react if necessary.

2. Turn on the Number Lock feature through your cell carrier to ensure that an additional password or verification is required to redirect your text messages to a new device. While you're at it, ask your cell carrier what info they require to verify your identity, and if that info might be discoverable by other people (such as your social security number or date of birth), request that an additional security password be added to your account. 

3. For critical accounts such as email or cloud storage (iCloud, Google, Microsoft, Dropbox, Backblaze, etc) opt to use a "1-time passcode generator" instead of text messages for verification. Once this is setup, instead of receiving texts, you enter a temporary password that is displayed in a password manager on your phone or computer. iPhones and Macs now have this option built in. Our favorite password manager, 1Password, can also generate these passwords for you.  There are other free options for generating 1-times passcodes such as Google Authenticator and Authy. 

We are happy to help in this process, to get your most critical logins moved away from text message based security so that you are less vulnerable to SIM swapping.