How to keep thieves from hijacking your cellphone account
A few weeks ago, a woman听walked into a cellphone store, claimed to be me and asked to upgrade my phones. She walked out with two new iPhones with my numbers.听
I first realized what was happening when my phone stopped working mid-call.听Surprised,听I called my mobile carrier on a landline, learning that the account updates had deactivated the听SIM cards in my Android phones.听
Soon after, the carrier's retail store got my phones working again.听When听I called my carrier to ask how the thief impersonated me, I was听told that store employees would have asked for the account holder鈥檚 photo ID and the last four digits of their Social Security number.听
Eventually,听I learned that the thief had used a fake ID with my name and her photo. She acquired the iPhones at a store hundreds of miles from where I live, and charged them to my account on an installment plan. It appears she did not use either phone, perhaps听intending to sell them. Worse yet,听she may still be on the loose.
After I changed the password and added extra security to my online account,听I called my carrier back several times to finish cleaning up this mess.听
I'm hardly alone in dealing with the aftermath of identity theft. Records of identity thefts reported to the Federal Trade Commission offer听some insight into how often thieves hijack a cellphone account or open a new mobile phone account in a victim鈥檚 name.
In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2 percent of all identity theft incidents reported to the FTC that month. By January 2016, that number had increased to 2,658 such incidents, representing 6.3 percent of all identity thefts reported to the FTC that month. Such thefts involved all four of the major mobile carriers.
Identity theft reports to the FTC likely represent only the tip of a much larger iceberg. According to data from the听听to the 2014 National Crime Victimization Survey conducted by the Department of Justice, less than 1 percent of identity theft victims reported the theft to the FTC.
Recent media reports also chart the rise in this kind of fraud.听In 2013,听that the US听government had seized over 5,500 phones acquired fraudulently by a Michigan business that was shipping them overseas. Organizations have found themselves mistakenly听billed for devices, including听50听听fraudulently听charged for iPhone 6s, iPads, and new service plans,听and听a听听an AT&T bill for 17 iPhones purchased by an identity thief.听
Fraudsters can steal information in more ways than ever. Using reverse-lookup websites, criminals听can identify the carrier associated with any US phone number for free, and in some cases, they can also find subscriber's names and听addresses. Black market websites also sell dossiers that include Social Security numbers.听Victims can still fall for social engineering scams, too, including criminals that use fraudulent claims of service interruptions.
Some thieves can also听use their victim鈥檚 hijacked phone number to gain access to financial accounts that use two-factor authentication through text messages, by purchasing the victim's bank account information, or obtaining it in a phishing attack.
Then they impersonate the victim and call the victim鈥檚 phone company to report that their phone has been damaged or stolen and convince the company to cancel the SIM card and activate a new SIM card with the victim鈥檚 phone number in the thieves鈥 phone.
Thieves can then make bank account transfers by responding to phone calls and text messages directed to the victim鈥檚 phone number in order to complete the transactions. The victim鈥檚 phone stops working as soon as the SIM card is swapped. It usually takes them several hours or days to get their phone service restored, and longer to notice that their bank account has been emptied.
This is what you can do
One of the most important steps you can take is to establish a password or PIN that is required before making changes to your mobile account.听
AT&T听offers a feature they refer to as 鈥渆xtra security.鈥 Once activated, any interaction with AT&T, whether online, via phone, or in a retail store will require that you provide your passcode. You can use your AT&T online account or the myAT&T app on your mobile phone to听. Note, that when you login online with your passcode, you may be presented with the option to not be asked for it again. Do not accept this option or you will disable extra security.
Sprint听asks customers to set a PIN and security questions when they establish service with Sprint, so no additional steps are needed to use this feature.
T-Mobile听allows their customers to听. Once established, customers are required to provide this password when contacting T-Mobile by phone. To establish such a password, customers can call T-Mobile customer service or visit a T-Mobile retail store.
Verizon听allows their customers to set an account PIN. Customers can do this by editing their profile in their online account, calling customer service, or visiting a Verizon retail store. This PIN provides additional security for telephone transactions and certain other transactions.
Using this extra password or PIN is a good idea and should help reduce your risk of mobile account takeovers. However, it does not offer complete protection, so make sure you remain alert for phishing attacks, protect your financial account information, and examine your mobile phone and credit card bills carefully every month for signs of fraud. If your phone stops receiving a signal and says 鈥渆mergency calls only鈥 or 鈥渘o network,鈥 even after you restart your phone, contact your mobile carrier to see whether your account has been hijacked.
Also, log听on to the Federal Trade Commission鈥檚听听website, which includes step-by-step instructions to reporting the theft and听the recovery process.听
What mobile carriers should do
Carriers should adopt a multilevel approach to authenticating both existing and new customers and require their own employees as well as third-party retailers to use it for all transactions.
Many mobile carriers are already听obligated to comply with the听, which, among other things, requires them to have a written identity theft prevention program.
This crime is particularly problematic due to the growing use of text messages to mobile phones as part of authentication schemes. The security of two-factor authentication that use phones depends upon keeping thieves away from stealing your phone number. Mobile carriers and third-party retailers need to be vigilant in their authentication practices to avoid putting their customers at risk of major financial loss and having email, social network, and other accounts compromised.
Lorrie Cranor is the chief technologist at the Federal Trade Commission. This post was adapted with her permission听. Follow Lorrie on Twitter at听.
听
