NORTH TEXAS (CBSDFW.COM) – Crooks can now steal your phone without ever laying hands on your device.
In an age when cell phones contain multitudes of personal information, the threat known as SIM swapping can upend a person’s entire life.
Scammers can hijack people’s phone numbers to access their accounts and passwords.
Mark Hopkins lost his phone without ever putting it down.
“It was a bit of a panic because everything in my life is in my phone,” Hopkins said.
One minute, Mark Hopkins was playing on his iPhone. The next, he was locked out of it.
“All of a sudden mine says, ‘Network not found,'” Hopkins said. “As soon as I switch on the WiFi, it says my gmail password had been reset.”
Hopkins, who works in IT, realized his SIM had been swapped.
That means someone had switched his phone number to another device. Two weeks later, it happened again.
In both cases, he contacted his phone carrier immediately to lock the account.
“If it had not had happened when I was awake, they would have had a lot more time to play,” Hopkins said.
Scammers are impersonating victims by asking wireless carriers to transfer their phone number to a new SIM card.
In other instances, company employees have even been accused of participating in “inside jobs,” as alleged in a federal lawsuit.
Plaintiff Michael Terpin filed a lawsuit against AT&T in California after he was hit by two attacks in seven months, resulting in the loss of nearly $24 million in cryptocurrency coins.
In the lawsuit, his attorneys claimed an imposter was able to obtain Terpin’s telephone number from an insider working with the hacker without the AT&T store employee asking him to show valid identification or to provide Terpin’s required password.
“In one notorious instance, AT&T employees were found culpable for stealing personal information for over 200,000 customers and selling it to criminals to unlock mobile phones,” the lawsuit states. “This massive security failure prompted the Federal Communications Commission to levy a record fine of $25 million and secure a Consent Decree requiring AT&T to implement detailed measures to enhance its subscribers’ protection against unauthorized disclosures of their private information.”
After a SIM swap, crooks can access a person’s passwords and bank information, especially if the phone is used to receive security codes for other accounts.
“It comes down to time and motivation,” said a professional hacker who goes by the handle, Whiskey Neon.
Professional hacker Whiskey Neon said crooks can bypass security measures using social engineering, which is a way of collecting details that are already out there.
Using a legal program called Gibson, Whiskey Neon found my personal information in seconds.
The results included my social media accounts, address and driver’s license information, which a hijacker could use to fake my identity.
The good news is not everyone is at the same level of risk.
Scammers target people with valuable information or cash flow.
For example, Hopkins works with cryptocurrency.
“Am I going to go through all the effort to get some random grandmother’s phone number?” Whiskey Neon asked. “Probably not.”
High-profile targets include Twitter CEO Jack Dorsey, along with actress Chloe Moretz.
Hijackers stole their numbers, then took over their Twitter accounts.
But law enforcement is taking notice. Just this year, at least 13 individuals nationwide have been charged in connection with SIM swapping.
Hopkins knows he almost lost everything. That’s why he says if you get hit, contact your carrier immediately.
“If it goes more than an hour, they’ve got everything they need,” Hopkins said.
To further protect your information, tell your phone carrier you are concerned about safety. Most companies will flag your account, which will require an extra level of security in the form of a password if someone requests to transfer your number.
When sites prompt you to answer personal security questions to verify your identity, do not use real information a scammer could find online. Provide fabricated responses to questions such as your pet’s name or the model of your first car so no one but knows the answer except you.
Instead of your phone, use authentication apps to receive verification codes that allow you to access accounts.
Several major carriers issued statements to The Ones for Justice about how they try to combat SIM swapping:
“Verizon is continuously making strides to enhance the security and protection of our customers information. Customers should download the My Verizon App to stay informed and take advantage of the latest security enhancements. Verizon has made a number of enhancements to protect our Customers against SIM Swapping and Unauthorized Port-Outs. We require customers to complete enhanced authentication steps to perform a SIM Card change or device change request. Additionally, customers have the option to enable a Port Freeze that will prevent their number from being Ported Out to another carrier without first removing the Port Freeze; they may request a Port Freeze by calling Verizon Customer Service by dialing *611 from their mobile phone. Customers may also enable Enhanced Authentication to protect their account with two-factor authentication. To learn more click here.”
“Account takeover fraud is an industry-wide problem. These are criminal attacks against wireless customers and it is in everyone’s best interest to stop them.
We are constantly working hard to do this and use several safeguards to help protect against this crime and offer customers a variety of options, including PINs, to help them protect their own information. T-Mobile accounts must have a 6-15 digit PIN, and a customer’s number cannot be ported without verification of that PIN. We encourage customers to contact us to discuss security measures available to them. Also, it’s important to note that T-Mobile will never proactively reach out and ask you to provide information, like your passcode.
More information about T-Mobile’s account verification processes is available here. More information on setting a customer PIN/Passcode is available here.”
“We confirm a customer’s identity before account changes can be made. Customers can learn how to help protect themselves from this scam by clicking here.
Also: ID authentication is required for important account changes in retail. We also require similar changes attempted over the phone or online to be verified in person with an ID.”