Most — if not all — hacking doesn’t look anything like TV or the movies. It doesn’t involve highly skilled programmers using super-secret software, there are no flashy or fast-moving graphics or popups, and almost nobody ever uses the word “mainframe.”

Instead, most hacking starts with social engineering, which is basically just well-informed or really convincing lies. Scammers lie to grandparents all the time in the hopes of duping them into sending irretrievable prepaid gift card funds. Other hacks see bad actors lying to service providers — for example, a phone carrier’s customer service representative being conned into believing a scammer is you, and giving said scammer access to your account. That technique makes SIM swap attacks easy, and AT&T’s new Account Lock feature thwarts them with ease (Source: AT&T via The Verge).

A message bubble with a security code, surrounded by icons of passwords, padlocks, keys, and a credit card, all encircled by multiple alert icons

A simple fix for a big problem

One toggle switch that prevents a world of headaches

An icon of a person with the words service, quality, efficienty, reliability, and customer surrounding it

Source: Pixabay

Social engineering starts with a fraudster manipulating a person or system into thinking they’re someone they’re not. A supposed hacker can sometimes access enough information via public records or relatively innocuous leaks to bypass both automated and human-verified security checks. After that, the scammer could, for example, change your shipping address on record, then buy a new device using your credit.

They could also request a SIM card change, which is called a SIM swap attack. Then, they redirect critical two-factor authentication messages to their device, and gain access to sensitive accounts. Bank accounts, email accounts, and even government-run services can all fall prey to the scheme.

That’s where AT&T’s new Wireless Account Lock feature comes into play. It’s a simple toggle built into the carrier’s app that, when active, completely prevents device purchases and upgrades, SIM card and phone number transfers, and other important changes.

A graphic explaining the impact of AT&T's new Account Lock features.

Source: AT&T

The idea is, you activate the lock whenever you’re not planning on making any account changes. When you need to update or upgrade something, you disable it, then re-enable it after finishing the transaction. Because it’s part of the carrier’s app local to your phone, a scammer would essentially have to convince you that they are, well, you — and if that’s a possibility, you might need to address a couple of issues beyond your digital security.

Granted, social engineering can grant evildoers access to a wide range of different accounts. But SIM swap attacks via a carrier’s customer service system remain a major vector for accessing other crucial services. You can protect other important accounts with additional methods, like standalone authenticator apps that generate time-sensitive codes for multifactor authentication, or passkey services (if and when passkeys finally mature) that link specific devices to users and their accounts using encrypted tokens stored on private cloud accounts.

Ultimately, AT&T’s new Wireless Account Lock feature (and the Business Account Lock version, for commercial customers) doesn’t utilize any groundbreaking technology (and is far from the first such carrier service). But it doesn’t need to. Social engineering is a frustratingly simple, time-honored way of defrauding users both digitally and in the real world. Yet another easy-to-use protection feature can only be a good thing for AT&T customers, and you should enable it today. Because you don’t actually have to make any mistakes or do anything wrong for nefarious impersonators to steal critical parts of your identity.

A phone displaying a confirmation screen for using a passkey