The Hell of losing your number in the age of SMS 2FA

I was starving, and I decided to call in an order for burritos (you can usually save a few bucks calling in person, instead of using ripoff middleman services like doordash and uber eats.) when I was connected instead to a Sprint customer service line. The problem was I was a boost mobile customer. So began my march to the horrible realization that my boost mobile account had been compromised, and that the party that had done so had ported my number to sprint. Then came the deluge of emails, all asking if I was trying to reset my account. I had to act quickly, so I made the call to treat my old number as compromised.

The first step to reclaim my accounts was to call boost and get a handle on this. This is where they lost my business, because at first they tried to tell me they had no record of my number. I told them to check again, and I talked to a rep one more time. I was then put on hold, and the next person to pick up the phone was a paralegal from boost saying they’d filed an injunction to get my number back.

The second step was to change passwords on all of my banking services, and to replace my contact phone number with a trusted number temporarily. This is huge, as SMS password resets are a popular strategy for hackers attempting to access monetary information. Then, I reset my email account passwords for extra security, and began keeping an eye on incoming reset emails. The attackers even tried to break in to my Etsy account. I’m still having some difficulty with services that I was only logged in to over mobile, and it’s turning out to be a minor headache to changing your phone number w/out access.

My third and final step was to replace both my phone and phone number, in the case my phone had been compromised by malware as well. I’m with a new carrier, and they allowed me to restrict my account so that in order to make any changes, I have to show up in person with photo ID. This is a huge relief, and massive peace of mind compared to the pathetic 4 DIGIT PIN and phone number combo “security” that Boost mobile has.

I have never experienced this before, and I have to say, I never want to again. I’ve been reminded of the importance of cyber-security, and I would go so far as to say that Boost Mobile is actively criminally negligent in their account security practices. I was extremely lucky; to my knowledge, I haven’t had anything stolen as a result of this security breach. I have rethought my position on SMS 2FA, and I deem it an unacceptable, restrictive, vulnerable, and antiquated method of identity verification.