What’s worse than thieves hacking into your bank account? When they steal your phone number, too
WASHINGTON — On a Monday morning in May, I woke up and picked up my cell phone to read the news and scroll through memes. But I had no signal. I couldn’t make calls or send texts.
But that turned out to be the least of my problems.
I checked my email on my home WiFi connection and saw a notification that $20,000 had been transferred from my credit card to an unknown Discover Bank account.
I thwarted the transfer and reported the cell phone issues, but my nightmare had only just begun. Days later, someone managed to transfer $19,000 from my credit card to the same strange bank account.
I was the victim of a form of fraud known as port-out hijacking, also known as SIM swapping. It is a less common form of identity theft. New federal regulations Research is underway into measures aimed at preventing port hijackings, but it is not yet clear how far they will go to stop the crime.
Port-out hijacking goes a step further than hacking a store, bank or credit card account. In this case, the thieves take over your phone number. All calls or texts go to them, not to you.
If your own phone access is lost to a criminal, the steps you once took to protect your accounts, such as two-factor authentication, can be used against you. It doesn’t help if a bank sends a text message to verify a transaction when the phone receiving the text is in the hands of the person trying to break into your account.
Even if you are relatively knowledgeable about the technology and follow all recommendations for protecting your technology and identity, it can still happen to you.
According to experts, these types of scams will only increase and become more sophisticated. The figures show that it will even get worse.
I’m not the most tech-savvy person, but I am a journalist with a law degree specializing in financial reporting. Due to the online nature of my work, I’ve learned all the methods to stay safe online: constantly changing my passwords with multi-factor authentication, logging out of apps I don’t use regularly, and keeping my personal information off the internet.
However, despite being safe, I was vulnerable to criminals, and it took me a lot of time and effort to get my money and phone number back.
The FBI Internet Crime Complaint Center reports that complaints about SIM swapping have increased more than 400% from 2018 to 2021with 1,611 complaints about SIM swapping, with personal losses exceeding $68 million.
The number of complaints about this crime to the FCC has doubled, from 275 complaints in 2020 to 550 reports in 2023.
Rachel Tobac, CEO of SocialProof Security, an online security company, says the crime rate is likely much higher because most identity theft goes unreported.
She also says that two-factor authentication is an outdated way to protect consumers, as it is possible to find someone’s phone number, date of birth and social security number through numerous public or private databases on the internet.
That thieves can get hold of your personal data became clear again on Friday when AT&T said that nearly all of its customers’ data was downloaded to a third-party platform in a security breach two years ago. Although AT&T claims no personal information has been leaked. Cybersecurity experts warn that breaches involving phone companies could leave customers vulnerable to SIM swapping.
From now on, it is easy to switch numbers from one phone to another and can be done online or by phone. The process takes less than a few hours, as long as a criminal has your personal information on hand.
While consumers need to be smart about using different passwords and security measures, consumers should “put pressure on companies that see it as their job to protect our data,” Tobac said.
“We need them to update consumer protection protocols,” she said, as two-factor authentication is not enough.
The FCC’s rules recently changed to force companies to do more to protect consumers from these types of scams.
In 2023, the FCC will introduced regulations requiring wireless carriers to use “secure methods to authenticate a customer before forwarding a customer’s phone number to a new device or carrier,” among other new rules. Businesses would be able to require more information when a customer attempts to port a phone number to another phone — from requiring government identification, voice verification or additional security questions.
The rules were supposed to come into effect on July 8, but the FCC granted waivers to telephone companies on July 5 that implementation is being delayed until the White House Office of Management conducts a new review.
The wireless industry had sought the delay, Among other reasons, companies need more time to comply. CTIA, which lobbies on behalf of the companies, said the new rules require major changes in technology and procedures, both within the wireless companies and in their interactions with phone manufacturers.
But if the FCC rules had been in place, my phone number would have been harder to steal, experts say.
Ohio State University professor Amy Schmitz says the new FCC rules make it easier for consumers to protect themselves, but protection still depends on consumer action and awareness.
“I still wonder whether consumers are aware of this and will take steps to protect themselves,” she said.
It took 10 days for me to get my number back from Cricket Wireless. And that was only after I told company representatives I was going to write a story about my experience.
During that time, the scammer gained access to my bank account three times and ultimately successfully transferred $19,000 from my credit card, despite me removing my bank account number, freezing my credit, and changing all my passwords, among other things.
Bank of America reversed the $19,000 transfer after I visited a branch near the AP office in Washington.
Cricket apologized for the error and said in an email that it “expects to deliver a much better customer experience.”
“Fraudulent port-outs are a form of theft committed by sophisticated criminals,” the company said in an emailed statement to me. “We have measures in place to help defeat them, and we work closely with law enforcement, our industry, and consumers to help prevent this type of crime.”
An AT&A T representative told me in an email that “all carriers are working to implement the FCC’s new rules on port-outs and SIM swapping.”
I still don’t know how this person got into my accounts. Is it through my social security number, phone number, date of birth, or maybe a recording of my voice?
It was a harsh lesson in how vulnerable we are when you lose control of your personal information that is so publicly available.