One Monday morning in May, I woke up and grabbed my cell phone to read the news and scroll through memes. But it was out of cell service. I couldn’t make calls or texts.
That, though, turned out to be the least of my problems.
Using my home Wi-Fi connection, I checked my email and discovered a notification that $20,000 was being transferred from my credit card to an unfamiliar Discover Bank account.
I thwarted that transfer and reported the cell phone issues, but my nightmare was just starting. Days later, someone managed to transfer $19,000 from my credit card to the same strange bank account.
I was the victim of a type of fraud known as port-out hijacking, also called SIM-swapping. It’s a less-common form of identity theft. New federal regulations aimed at preventing port-out hijacking are under review, but it’s not clear how far they will go in stopping the crime.
Hey guys on the Intertubes, perhaps you’ll never see this, but if you do, please read the following: SMS is a terrible way to 2FA, don’t do it, ever.
I was pretty annoyed when a couple apps forced me to start using an authenticator, but I’m glad for it now.
I joined the pro-OTP club when I found open source alternatives to Google, Microsoft Authenticator and Authy (which Twilio would later ruin). Before I didn’t like it.
Pretty much all the sites I use offer authenticator apps or passkeys/security keys. But my bank only offers SMS and sets a limit on password length.