Modern field guide to security and privacy

How to keep thieves from hijacking your cellphone account

No one is completely safe from identity thieves. I should know since I was a victim. But here's how to better protect yourself against scammers, and how to lessen the damage of identity fraud.

Kim Kyung-Hoon/Reuters
A woman tries apple's iPhone 6 at an Apple store in Beijing, November 2, 2015.

A few weeks ago, a woman walked into a cellphone store, claimed to be me and asked to upgrade my phones. She walked out with two new iPhones with my numbers. 

I first realized what was happening when my phone stopped working mid-call. Surprised, I called my mobile carrier on a landline, learning that the account updates had deactivated the SIM cards in my Android phones. 

Soon after, the carrier's retail store got my phones working again. When I called my carrier to ask how the thief impersonated me, I was told that store employees would have asked for the account holder’s photo ID and the last four digits of their Social Security number. 

Eventually, I learned that the thief had used a fake ID with my name and her photo. She acquired the iPhones at a store hundreds of miles from where I live, and charged them to my account on an installment plan. It appears she did not use either phone, perhaps intending to sell them. Worse yet, she may still be on the loose.

After I changed the password and added extra security to my online account, I called my carrier back several times to finish cleaning up this mess. 

I'm hardly alone in dealing with the aftermath of identity theft. Records of identity thefts reported to the Federal Trade Commission offer some insight into how often thieves hijack a cellphone account or open a new mobile phone account in a victim’s name.

In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2 percent of all identity theft incidents reported to the FTC that month. By January 2016, that number had increased to 2,658 such incidents, representing 6.3 percent of all identity thefts reported to the FTC that month. Such thefts involved all four of the major mobile carriers.

Identity theft reports to the FTC likely represent only the tip of a much larger iceberg. According to data from the Identity Theft Supplement to the 2014 National Crime Victimization Survey conducted by the Department of Justice, less than 1 percent of identity theft victims reported the theft to the FTC.

Recent media reports also chart the rise in this kind of fraud. In 2013, Forbes reported that the US government had seized over 5,500 phones acquired fraudulently by a Michigan business that was shipping them overseas. Organizations have found themselves mistakenly billed for devices, including 50 Denver customers fraudulently charged for iPhone 6s, iPads, and new service plans, and a North Carolina church that received an AT&T bill for 17 iPhones purchased by an identity thief. 

Fraudsters can steal information in more ways than ever. Using reverse-lookup websites, criminals can identify the carrier associated with any US phone number for free, and in some cases, they can also find subscriber's names and addresses. Black market websites also sell dossiers that include Social Security numbers. Victims can still fall for social engineering scams, too, including criminals that use fraudulent claims of service interruptions.

Some thieves can also use their victim’s hijacked phone number to gain access to financial accounts that use two-factor authentication through text messages, by purchasing the victim's bank account information, or obtaining it in a phishing attack.

Then they impersonate the victim and call the victim’s phone company to report that their phone has been damaged or stolen and convince the company to cancel the SIM card and activate a new SIM card with the victim’s phone number in the thieves’ phone.

Thieves can then make bank account transfers by responding to phone calls and text messages directed to the victim’s phone number in order to complete the transactions. The victim’s phone stops working as soon as the SIM card is swapped. It usually takes them several hours or days to get their phone service restored, and longer to notice that their bank account has been emptied.

This is what you can do

One of the most important steps you can take is to establish a password or PIN that is required before making changes to your mobile account. 

AT&T offers a feature they refer to as “extra security.” Once activated, any interaction with AT&T, whether online, via phone, or in a retail store will require that you provide your passcode. You can use your AT&T online account or the myAT&T app on your mobile phone to turn on extra security(link is external). Note, that when you login online with your passcode, you may be presented with the option to not be asked for it again. Do not accept this option or you will disable extra security.

Sprint asks customers to set a PIN and security questions when they establish service with Sprint, so no additional steps are needed to use this feature.

T-Mobile allows their customers to establish a customer care password on their accounts(link is external). Once established, customers are required to provide this password when contacting T-Mobile by phone. To establish such a password, customers can call T-Mobile customer service or visit a T-Mobile retail store.

Verizon allows their customers to set an account PIN. Customers can do this by editing their profile in their online account, calling customer service, or visiting a Verizon retail store. This PIN provides additional security for telephone transactions and certain other transactions.

Using this extra password or PIN is a good idea and should help reduce your risk of mobile account takeovers. However, it does not offer complete protection, so make sure you remain alert for phishing attacks, protect your financial account information, and examine your mobile phone and credit card bills carefully every month for signs of fraud. If your phone stops receiving a signal and says “emergency calls only” or “no network,” even after you restart your phone, contact your mobile carrier to see whether your account has been hijacked.

Also, log on to the Federal Trade Commission’s identitytheft.gov website, which includes step-by-step instructions to reporting the theft and the recovery process. 

What mobile carriers should do

Carriers should adopt a multilevel approach to authenticating both existing and new customers and require their own employees as well as third-party retailers to use it for all transactions.

Many mobile carriers are already obligated to comply with the Red Flags Rule, which, among other things, requires them to have a written identity theft prevention program.

This crime is particularly problematic due to the growing use of text messages to mobile phones as part of authentication schemes. The security of two-factor authentication that use phones depends upon keeping thieves away from stealing your phone number. Mobile carriers and third-party retailers need to be vigilant in their authentication practices to avoid putting their customers at risk of major financial loss and having email, social network, and other accounts compromised.

Lorrie Cranor is the chief technologist at the Federal Trade Commission. This post was adapted with her permission from a recent blog she wrote. Follow Lorrie on Twitter at @lorrietweet.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.