Lorrie Cranor Shares First-Person Account of Having Her Mobile Phone Hijacked by an ID Thief

By TAP Staff Blogger

Posted on June 23, 2016


Share

Lorrie Cranor, the Chief Technologist for the Federal Trade Commission, recently wrote a post describing her experience when her mobile phone account was hijacked. In “Your Mobile Phone Account Could Be Hijacked by an Identity Thief,” Ms. Cranor also explains the growing problem with phone account hijacking and offers suggestions for combatting these types of scams.

 

Below are a few excerpts from “Your Mobile Phone Account Could Be Hijacked by an Identity Thief.”

 

My Experiences as a Victim of ID Theft

One evening my mobile phone stopped working mid call. After discovering that another phone on my account also had no signal, I called my mobile carrier on a landline phone. The customer service representative explained that my account had been updated to include new iPhones, and in the process the SIM cards in my Android phones had been deactivated. She assumed it was a mistake, and told me to take my phones to one of my mobile carrier’s retail stores.

 

The store replaced my SIM cards and got my phones working again. A store employee explained that a thief claiming to be me had gone into a phone store and “upgraded” my two phones to the most expensive iPhone models available and transferred my phone numbers to the new iPhones.

 

I called my mobile carrier’s fraud department and reported what happened.

 

I logged in to my online account, changed the password, and added an extra security PIN recommended by the fraud department. I then logged on to the Federal Trade Commission’s identitytheft.gov website to report the theft and learn how to protect myself. Identitytheft.gov is a one-stop resource for identity theft victims. It includes step-by-step instructions and sample letters to guide victims through the recovery process. Following the Identitytheft.gov checklist, I placed a fraud alert and obtained a free credit report. I also prepared an identity theft complaint affidavit, which I later printed and took with me to my local police station when I filed a police report.

 

I was interested in learning where the theft had occurred and how much of my personal information was in the hands of the thief. Section 609(e) of the Fair Credit Reporting Act requires that companies provide business records related to identity theft to victims within 30 days of receiving a written request. So, following the template provided by Identitytheft.gov, I wrote a letter to my carrier requesting all records related to the fraudulent upgrades on my account. After about two months my carrier sent me the records. I learned that the thief had used a fake ID with my name and her photo. She had acquired the iPhones at a retail store in Ohio, hundreds of miles from where I live, and charged them to my account on an installment plan. It appears she did not actually make use of either phone, suggesting her intention was to sell them for a quick profit. As far as I’m aware the thief has not been caught and could be targeting others with this crime.

 

The Growing Problem of Phone Account Hijacking

Records of identity thefts reported to the FTC provide some insight into how often thieves hijack a mobile phone account or open a new mobile phone account in a victim’s name. In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2% of all identity theft incidents reported to the FTC that month. By January 2016, that number had increased to 2,658 such incidents, representing 6.3% of all identity thefts reported to the FTC that month. Such thefts involved all four of the major mobile carriers.

 

Identity theft reports to the FTC likely represent only the tip of a much larger iceberg. According to data from the Identity Theft Supplement to the 2014 National Crime Victimization Survey conducted by the U.S. Department of Justice, less than 1% of identity theft victims reported the theft to the FTC.

 

Most of the account hijackings likely occurred without the victims having provided information to fraudsters themselves. There are a number of reverse-lookup websites that will identify the carrier associated with any US phone number for free. Some will also identify the name of the subscriber and their city and state for free, and will sell the complete address for less than a dollar. There are also black market websites that sell dossiers that include social security numbers.

 

Perhaps most insidious, some thieves use their victim’s hijacked phone number to gain access to financial accounts that use two-factor authentication through text messages. This is known internationally as a “SIM swap” scam, or “SIM splitting.”

 

Thieves first purchase the victim’s bank account info or acquire it through a phishing attack. They may also look for publicly available information about the victim on social networks that can help them answer security questions. Then they impersonate the victim and call the victim’s mobile phone company to report that their phone has been damaged or stolen and convince the company to cancel the SIM card and activate a new SIM card with the victim’s phone number in the thieves’ phone. The thieves are then able to make bank account transfers, responding to phone calls and text messages directed to the victim’s phone number in order to complete the transactions. The victim’s phone stops working as soon as the SIM card is swapped. It usually takes them several hours or days to get their phone service restored, and longer to notice that their bank account has been emptied.

 

What You Can Do

I asked all the major mobile carriers what consumers could do to protect themselves from a mobile account takeover. One of the most important steps you can take is to establish a password or PIN that is required before making changes to your mobile account. Each of the carriers offers this feature to their customers in a slightly different way.

 

Using this extra password or PIN is a good idea and should help reduce your risk of mobile account takeovers. However, it does not offer complete protection, so make sure you remain alert for phishing attacks, protect your financial account information, and examine your mobile phone and credit card bills carefully every month for signs of fraud. If your phone stops receiving a signal and says “emergency calls only” or “no network,” even after you restart your phone, contact your mobile carrier to see whether your account has been hijacked.

 

What Mobile Carriers Should Do

The mobile carriers are in a better position than their customers to prevent identity theft through mobile account hijacking and fraudulent new accounts. In fact, many of them are obligated to comply with the Red Flags Rule, which, among other things, requires them to have a written identity theft prevention program.

 

Having a mobile phone account hijacked can waste hours of a victim’s time and cause them to miss important calls and messages. However, this crime is particularly problematic due to the growing use of text messages to mobile phones as part of authentication schemes for financial services and other accounts. The security of two-factor authentication schemes that use phones as one of the factors relies on the assumption that someone who steals your password has not also stolen your phone number. Thus, mobile carriers and third-party retailers need to be vigilant in their authentication practices to avoid putting their customers at risk of major financial loss and having email, social network, and other accounts compromised.

 

Read the full post from Lorrie Cranor’s Tech@FTC blog: “Your Mobile Phone Account Could Be Hijacked by an Identity Thief.”

 

 

Lorrie Faith Cranor joined the US Federal Trade Commission as Chief Technologist in January 2016. She is on leave from Carnegie Mellon University where she is a Professor of Computer Science and of Engineering and Public Policy, Director of the CyLab Usable Privacy and Security Laboratory (CUPS), and Co-director of the MSIT-Privacy Engineering Masters program.

 


Share