Table of Contents
- How does the portability scam work?
- The problems of the portability scam
- About portability lock
- SIM swap example
- How to protect yourself?
- What to do if you are a victim of the scam?
A crime has just appeared on the internet and can bring several financial problems. called from portability scam ( YES swap), consists of changing the operator of the victim's cell phone number. Once portability is done by scammers, thugs have access to social media logins and even requests for money, without the need for consent from those who suffered the coup.
Understand the subject completely and how to prevent yourself. We've also put together tips on what to do if you're a victim of the newest scam on the block.
How does the portability scam work?
Through leaks of sensitive personal data such as CPF, email and phone number, bandits make a change of operator - impersonating you - to gain access to text messages sent by social networks to confirm login to their profiles on social media and email accounts. If two-factor authentication is enabled via text message only, they will easily gain access to their accounts.
Another way for the portability scam to work is through malicious employees within the operator itself, who manage to make the switch without even the customer requesting it. It works like this: imagine that you have a Claro number and a person who works internally at Vivo manages to request portability (we use these operators as an example, to illustrate the case), gaining access to the SMS messages from your number.
Finally, the information for changing a number's operator can also be provided by yourself: through contact made via WhatsApp or even via telephone, the bandits pretend to be false operators' attendants. As they only need your full name, CPF and a maximum of one email, everything can be achieved in a maximum of 15 minutes, if people believe in the false contact.
In all situations, the real owner of the number notices the change of operator only when the SIM of the current operator is inactive — and there is an interruption of data and voice services on his telephone line — and the posts in the account were made without consent .
The problems of the portability scam
Even though messaging apps like Whatsapp e Telegram dominate the exchange of messages, SMS is still used to send identity confirmation codes in various online services. However, once the user's number is activated on another cell phone, the login codes will be received by the crooks and their social networks will be used to ask for money.
The same goes for WhatsApp: if two-factor authentication is not activated in the application, only a confirmation code via SMS will be required for your account to be connected on another smartphone. With access to the groups you are included in, the bandits can ask for money from people they know, including using your profile picture saved on the servers of the Meta.
The same goes for email: if only one code is needed to log in to a new computer or smartphone, then passwords may change and you may not be able to recover your accounts anymore.
About portability lock
A solution given on social networks for the portability scam is that the carrier switch lock and thus the change does not take place. The problem is that this simply does not exist and operators such as Claro, Vivo and TIM opt for other means to confirm the requested portability.
A Living informs that the operator change request can only be made in person. In addition to having to visit a store, confirmation must be made via SMS sent to the number *8486. The company also reminds you that any notice is made only through its official channels, and does not contact you to request personal data.
A Clear it even allows portability to be requested via telephone, but a confirmation via SMS also needs to be made by the customer for the process to be validated. This can prevent bad guys from succeeding in the portability scam.
That way, if you ever hear about portability blocking, know that it is not adhered to by Brazilian operators. TIM went through legal problems for allowing portability without the confirmation of a customer and, despite indicating that the customer was negligent in letting her data leak on the internet, the judge of the cause understood that the company failed to provide the service.
The confirmation process via SMS before chip deactivation is indicated by the Connections (National Union of Telephone and Mobile, Cellular and Personal Service Companies). The request must be made in person or over the phone, but everything is still being implemented little by little. Until May 2023, only numbers with DDD 64 had active protection.
Telecommunications companies have been continually improving anti-fraud procedures, with the porting process also being improved to become more secure.Conexis (National Union of Telephone and Mobile, Cellular and Personal Service Companies) on portability validation
SIM swap example
The journalist Maju Mendonca, which has more than 3 million followers on Instagram, was already a victim of the portability scam and, from one day to the next, her Instagram profile was invaded by bandits. She says that she noticed the problem when she was able to connect to the internet only via Wi-Fi and no longer had access to the operator's signal, as the chip was inactive. With access to social media, thugs used photos of her and her daughter to ask for money. WhatsApp and Apple ID were also accessed by the bandits.
I found it strange, but I thought it could be a problem with the operator, which is sometimes out of range, but then a little later I noticed that I had lost access to my WhatsApp and my social networks. Then I realized that I had been hacked. They were very poorly made art, but they also stole pictures of me with Luísa and made a cute little text.Maju Mendonça on portability scam
When contacting Claro, she found out that a Vivo employee had requested portability to the purple operator. She was instructed to file a police report online after going to a Claro store and managing to retrieve the number.
It is a rather bureaucratic procedure, but if there is someone inside the operator with information, access to the system and with bad intentions, they can achieve this. And then he managed to migrate not only the number to another operator but also the ownership of the chip.Broadcaster Arthur Luís on the portability blow his wife suffered
How to protect yourself?
The portability scam is one hell of a headache. In addition to all the time needed to reverse the process with the operator, which can take many hours, there is also the financial risk, as your contacts may fall for the scam thinking that you are, in fact, asking for money for an emergency. See some actions you can put into practice to not become a victim of this crime.
Use a strong password
It may sound simple, but only in 2022, “Samsung” was one of the most used passwords on websites and smartphones. Once you use a simple combination like your date of birth, relative's name or more, you put yourself at risk for crooks to gain access to your social media and email.
With access to your password and active phone number to receive the SMS confirmation, the crooks can do whatever they want. Therefore, it is highly recommended to use strong passwords, which contain a combination of letters (uppercase and lowercase), numbers and symbols. Another good practice is to use a unique password for each online service.
Use a password manager
These apps allow you to save login data (username and password) to your accounts without having to memorize them. With a master password, you can log in quickly and securely, as passwords are saved in a secure environment.
As much as these programs are recognized as “password managers”, they end up delivering a complete package of protection features — of course, depending on the quality of each program and possible subscription packages, but in general, all offer some level of solution of security. Ultimately, the concept is that you only remember the master password which gives you access to the password manager instead of having to remember all the passwords you have.
O google password manager works on both smartphones and computers, and stores your passwords whenever you authorize it. Those who use iOS can make good use of iPhone password manager, which has identity validation via FaceID or fingerprint reading.
Another good option is LastPass, which works quite completely and generates passwords, gives security tips and is still available on any device, including smartphones. Always use an app like this one to have your passwords saved in a secure environment.
Turn on 2-step verification
One way to allow a new login only through your confirmation is the two-step verification, using applications such as Google Authenticator ou Microsoft Authenticator. They offer a second layer of protection on your accounts, generating temporary codes to confirm the password to access your social networks, emails and other types of accounts. That goes for Facebook, Twitter, Instagram, Discord, and many other sites.
You just need to install one of the applications on your smartphone and then configure your accounts. When someone tries to login on an unknown device, the code will be requested and only with access to an authenticator application will access be guaranteed.
Activate PIN on WhatsApp
PIN confirmation is a way to prevent your WhatsApp account from being registered on a new smartphone. After registration is done in the application and you set a six-digit code, the new login can only be done if this is typed in the unknown device. And the verification happens even if the SMS is sent to the phone number. See how to activate in the steps below:
No Android, you need to click on the menu on the three dots and then on Settings🇧🇷 Now select the option Account.
Your next step is to click Two-step confirmation and then in activate. You will need to create a unique 6-digit combination and confirm it by typing it again.
Be very careful not to unique strings like 123456 or even your birthday.
The screen that will appear after confirming the PIN will require you to enter an email that you have access to, followed by one more confirmation.
And ready! All configured so that you have one more layer of security. Remember not to share your code with strangers.
On the same two-step confirmation screen, you can deactivate, change the numeric combination or even change the email address you just registered. The process is similar for those who have iOS.
From time to time you will be asked to PIN be entered as a form of reminder of the system itself. You will have to enter the same combination to be able to use the app. There is a similar function in WhatsApp Business.
Showmetech has also published a complete article on what to do in case of WhatsApp hacked, be sure to check it out.
Contact your carrier when you notice suspicious activity
In addition to trying to get money, crooks can also port to take advantage of your internet and calling plan. If you notice that the limit is being reached before the normal time, it's worth calling your operator and checking if you haven't fallen for the scam. YES Swap.
Another big warning sign is the receipt of the portability confirmation SMS. In addition to not confirming the process that you did not request, it is worth contacting the company you are a customer to find out why the SMS was sent and any problems to be avoided.
Remove third-party apps from your accounts
Finally, it is worth keeping an eye on applications that have access to simple data from your social networks, such as username, phone number and email. With a simple confirmation, the portability scam can be launched and you can experience a lot of problems.
It always pays to do the direct login via entering email and password instead of simple login. That way, you prevent website owners from having access to data that can be used in scams that go beyond portability.
Be wary of suspicious calls
Generally, companies where you are a customer already have your personal data. So if someone calls asking for your CPF, RG number or any other information, do not pass it on to the “assistants” and confirm the request with the operator of your telephone number.
When they need to confirm some data, telemarketing agents usually request only a part of your document and only with that can the service be carried out. Any contact outside of this can be a blow. And the same goes for messages sent via Whatsapp.
What to do if you are a victim of the scam?
The first orientation of the authorities is to file a police report online or at the police station closest to your home so that the occurrence is recorded. Then contact your carrier to reverse the process.
If those responsible are found, the portability scam can bring a prison sentence of one to five years. But if the contact is made through a social network, via telephone or even by e-mail, the crime is considered electronic fraud, with a sentence of imprisonment from four to eight years and a fine.
Have you ever been a victim or know someone who has had problems with this crime? Tell us us Comment!
See also other features
reviewed by Glaucon Vital in 9 / 8 / 23.