used with permission from FTC Business Center Blog, by Lorrie Cranor, Chief Technologist
A few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers. My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft. This post describes my experiences as a victim of ID theft, explains the growing problem of phone account hijacking, and suggests ways consumers and mobile phone carriers can help combat these scams.
My Experiences as a Victim of ID Theft
One evening my mobile phone stopped working mid call. After discovering that another phone on my account also had no signal, I called my mobile carrier on a landline phone. The customer service representative explained that my account had been updated to include new iPhones, and in the process the SIM cards in my Android phones had been deactivated. She assumed it was a mistake, and told me to take my phones to one of my mobile carrier’s retail stores.
The store replaced my SIM cards and got my phones working again. A store employee explained that a thief claiming to be me had gone into a phone store and “upgraded” my two phones to the most expensive iPhone models available and transferred my phone numbers to the new iPhones.
I called my mobile carrier’s fraud department and reported what happened. The representative agreed to remove the charges, but blamed the theft on me. When I asked how the store authenticated the thief, he told me that employees of stores owned by the mobile carrier would have asked for the account holder’s photo ID and the last four digits of their social security number, but if the theft occurred at another retailer, that might not have happened.
I logged in to my online account, changed the password, and added an extra security PIN recommended by the fraud department. I then logged on to the Federal Trade Commission’s identitytheft.gov website to report the theft and learn how to protect myself. Identitytheft.gov is a one-stop resource for identity theft victims. It includes step-by-step instructions and sample letters to guide victims through the recovery process. Following theIdentitytheft.gov checklist, I placed a fraud alert and obtained a free credit report. I also prepared an identity theft complaint affidavit, which I later printed and took with me to my local police station when I filed a police report.
I called my mobile carrier back several times over the next few days to finish cleaning up this mess. One of my phones had ended up with the wrong phone number and the other one no longer had voice mail. A few days later I received an email about mobile phone insurance that the thief had apparently added to my account. After three trips to my carrier’s retail stores and many hours on the phone, my carrier eventually fixed all the problems and refunded the fraudulent charges.
I was interested in learning where the theft had occurred and how much of my personal information was in the hands of the thief. Section 609(e) of the Fair Credit Reporting Act requires that companies provide business records related to identity theft to victims within 30 days of receiving a written request. So, following the template provided by Identitytheft.gov, I wrote a letter to my carrier requesting all records related to the fraudulent upgrades on my account. After about two months my carrier sent me the records. I learned that the thief had used a fake ID with my name and her photo. She had acquired the iPhones at a retail story in Ohio, hundreds of miles from where I live, and charged them to my account on an installment plan. It appears she did not actually make use of either phone, suggesting her intention was to sell them for a quick profit. As far as I’m aware the thief has not been caught and could be targeting others with this crime.
The Growing Problem of Phone Account Hijacking
Records of identity thefts reported to the FTC provide some insight into how often thieves hijack a mobile phone account or open a new mobile phone account in a victim’s name. In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2% of all identity theft incidents reported to the FTC that month. By January 2016, that number had increased to 2,658 such incidents, representing 6.3% of all identity thefts reported to the FTC that month. Such thefts involved all four of the major mobile carriers.
Identity theft reports to the FTC likely represent only the tip of a much larger iceberg. According to data from the Identity Theft Supplement to the 2014 National Crime Victimization Survey conducted by the U.S. Department of Justice, less than 1% of identity theft victims reported the theft to the FTC.
Media reports on mobile phone account hijacking provide more evidence of this problem. A 2013 Forbes article reported that the government had seized over 5,500 phones from a Michigan operation that allegedly acquired them fraudulently from AT&T, Verizon, Best Buy, Radio Shack, and Apple stores and was shipping them overseas. The article reported that thieves used stolen identities to upgrade phones and add phone lines to existing accounts. In February 2015 more than 50 customers in the Denver area complained that Verizon had charged them for iPhone 6s, iPads, and new service plans they had not ordered. A North Carolina church received an AT&T bill for 17 iPhones purchased by an identity thief. In December 2015, four suspects were charged with using fake identity documents to purchase iPhones at AT&T stores in Kansas. In April 2016 three people arrested in a traffic stop in New Jersey were found to have fake IDs with the names of identity theft victims that they had used to fraudulently acquire iPhones. In May a man was arrested in Oregon for trying to buy four iPhones at a Verizon store using a fake ID. The man had previously been arrested twice on similar charges.
The Identitytheft.gov reports indicate that it is common for thieves to hijack a mobile phone account and also open other accounts in the victim’s name, days or weeks later. These are often mobile accounts with other carriers or credit cards for retail stores. In addition, some victims reported that identity thieves also changed the email addresses associated with their financial accounts.
Some victims did not have their mobile account hijacked, but instead received bills or calls from bill collectors about accounts with other carriers that identity thieves had opened with their names.
Most of the account hijackings likely occurred without the victims having provided information to fraudsters themselves. There are a number of reverse-lookup websites that will identify the carrier associated with any US phone number for free. Some will also identify the name of the subscriber and their city and state for free, and will sell the complete address for less than a dollar. There are also black market websites that sell dossiers that include social security numbers.
Other victims have also recounted falling for a phone scam in which the caller impersonated a representative from their mobile carrier. One victim reported that before their account was hijacked, a caller fraudulently claiming to be from their mobile carrier told them that their phone service would be down for 24 to 48 hours. Another victim reported that that a phony representative from their carrier’s fraud department called them and asked them to read back a code that had just been texted to their phone. When the victim complied, the fraudster was able to impersonate the victim and make unauthorized changes to their mobile account.
Perhaps most insidious, some thieves use their victim’s hijacked phone number to gain access to financial accounts that use two-factor authentication through text messages. This is known internationally as a “SIM swap” scam, or “SIM splitting.” The New York Division of Consumer Protection also warns about this scam on their website.
Thieves first purchase the victim’s bank account info or acquire it through a phishing attack. They may also look for publicly available information about the victim on social networks that can help them answer security questions. Then they impersonate the victim and call the victim’s mobile phone company to report that their phone has been damaged or stolen and convince the company to cancel the SIM card and activate a new SIM card with the victim’s phone number in the thieves’ phone. The thieves are then able to make bank account transfers, responding to phone calls and text messages directed to the victim’s phone number in order to complete the transactions. The victim’s phone stops working as soon as the SIM card is swapped. It usually takes them several hours or days to get their phone service restored, and longer to notice that their bank account has been emptied.
Industry experts I spoke with at a company that provides authentication services for mobile banking told me that SIM swap scams have become common in Europe and are increasing in the United States. In addition to obtaining information through phishing attacks, they told me that fraudsters often purchase victims’ information from black market sellers, or from rogue employees of financial institutions or mobile carriers. Unfortunately, there is little a consumer can do to prevent this.
What You Can Do
I asked all the major mobile carriers what consumers could do to protect themselves from a mobile account takeover. One of the most important steps you can take is to establish a password or PIN that is required before making changes to your mobile account. Each of the carriers offers this feature to their customers in a slightly different way.
AT&T offers a feature they refer to as “extra security.” Once activated, any interaction with AT&T, whether online, via phone, or in a retail store will require that you provide your passcode. You can use your AT&T online account or the myAT&T app on your mobile phone to turn on extra security. Note, that when you login online with your passcode, you may be presented with the option to not be asked for it again. Do not accept this option or you will disable extra security.
Sprint asks customers to set a PIN and security questions when they establish service with Sprint, so no additional steps are needed to use this feature.
T-Mobile allows their customers to establish a customer care password on their accounts. Once established, customers are required to provide this password when contacting T-Mobile by phone. To establish such a password, customers can call T-Mobile customer service or visit a T-Mobile retail store.
Verizon allows their customers to set an account PIN. Customers can do this by editing their profile in their online account, calling customer service, or visiting a Verizon retail store. This PIN provides additional security for telephone transactions and certain other transactions.
Using this extra password or PIN is a good idea and should help reduce your risk of mobile account takeovers. However, it does not offer complete protection, so make sure you remain alert for phishing attacks, protect your financial account information, and examine your mobile phone and credit card bills carefully every month for signs of fraud. If your phone stops receiving a signal and says “emergency calls only” or “no network,” even after you restart your phone, contact your mobile carrier to see whether your account has been hijacked.
What Mobile Carriers Should Do
The mobile carriers are in a better position than their customers to prevent identity theft through mobile account hijacking and fraudulent new accounts. In fact, many of them are obligated to comply with the Red Flags Rule, which, among other things, requires them to have a written identity theft prevention program.
Carriers should adopt a multi-level approach to authenticating both existing and new customers and require their own employees as well as third-party retailers to use it for all transactions.
Having a mobile phone account hijacked can waste hours of a victim’s time and cause them to miss important calls and messages. However, this crime is particularly problematic due to the growing use of text messages to mobile phones as part of authentication schemes for financial services and other accounts. The security of two-factor authentication schemes that use phones as one of the factors relies on the assumption that someone who steals your password has not also stolen your phone number. Thus, mobile carriers and third-party retailers need to be vigilant in their authentication practices to avoid putting their customers at risk of major financial loss and having email, social network, and other accounts compromised.
The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.