If it can happen to her, chances are it can happen to lots of people. In a scenario that’s growing increasingly common, the chief technologist of the US Federal Trade Commission recently lost control of her smartphone after someone posing as her walked into a mobile phone store and hijacked her number.
Details of the incident were provided by the FTC’s Lorrie Cranor in a blog post published Tuesday morning with the headline “Your mobile phone account could be hijacked by an identity thief.” In it, Cranor wrote:
A few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers. My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft. This post describes my experiences as a victim of ID theft, explains the growing problem of phone account hijacking, and suggests ways consumers and mobile phone carriers can help combat these scams.
My Experiences as a Victim of ID Theft
One evening my mobile phone stopped working mid call. After discovering that another phone on my account also had no signal, I called my mobile carrier on a landline phone. The customer service representative explained that my account had been updated to include new iPhones, and in the process the SIM cards in my Android phones had been deactivated. She assumed it was a mistake, and told me to take my phones to one of my mobile carrier’s retail stores.
The store replaced my SIM cards and got my phones working again. A store employee explained that a thief claiming to be me had gone into a phone store and “upgraded” my two phones to the most expensive iPhone models available and transferred my phone numbers to the new iPhones.
I called my mobile carrier’s fraud department and reported what happened. The representative agreed to remove the charges, but blamed the theft on me. When I asked how the store authenticated the thief, he told me that employees of stores owned by the mobile carrier would have asked for the account holder’s photo ID and the last four digits of their social security number, but if the theft occurred at another retailer, that might not have happened.
I logged in to my online account, changed the password, and added an extra security PIN recommended by the fraud department. I then logged on to the Federal Trade Commission’s identitytheft.gov website to report the theft and learn how to protect myself. Identitytheft.gov is a one-stop resource for identity theft victims. It includes step-by-step instructions and sample letters to guide victims through the recovery process. Following the Identitytheft.gov checklist, I placed a fraud alert and obtained a free credit report. I also prepared an identity theft complaint affidavit, which I later printed and took with me to my local police station when I filed a police report.
The FTC chief technologist went on to invoke federal law to force the unnamed carrier to provide the paperwork filed by the identity thief who hijacked her account. Cranor discovered that the thief used a fake ID that showed Cranor’s name and the thief’s photo. The thief acquired the iPhones at a retail store in Ohio hundreds of miles from Cranor’s home and charged them to Cranor’s account on an installment plan.
Cranor said that the incidence of mobile phone account hijacking is growing. In January 2013, the FTC received reports of 1,038 such hijackings, accounting for about 3.2 percent of all the identity thefts reported that month to the FTC. By January 2016, the FTC received reports of 2,658 hijacks, representing 6.3 percent of identity thefts that month.
There’s no evidence the thief who hijacked Cranor’s account used either of the associated numbers, a sign that suggests the thief’s intention was to sell the phones for a profit. But if such attacks are viable in financially motivated crimes, there’s no reason they couldn’t be used in espionage and stalking as well. That’s an unsettling thought, considering mobile phones are often the way people receive multi-factor authentication messages and also access their incoming text messages.
Tuesday’s post provides tips for locking down accounts provided by the four top US carriers. The tips should be considered mandatory safeguards for anyone concerned about their privacy and security.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.