How to keep thieves from hijacking your cellphone account

No one is completely safe from identity thieves. I should know since I was a victim. But here's how to better protect yourself against scammers, and how to lessen the damage of identity fraud.

A woman tries apple's iPhone 6 at an Apple store in Beijing, November 2, 2015.

Kim Kyung-Hoon/Reuters

June 8, 2016

A few weeks ago, a woman walked into a cellphone store, claimed to be me and asked to upgrade my phones. She walked out with two new iPhones with my numbers. 

I first realized what was happening when my phone stopped working mid-call. Surprised, I called my mobile carrier on a landline, learning that the account updates had deactivated the SIM cards in my Android phones. 

Soon after, the carrier's retail store got my phones working again. When I called my carrier to ask how the thief impersonated me, I was told that store employees would have asked for the account holder’s photo ID and the last four digits of their Social Security number. 

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

Eventually, I learned that the thief had used a fake ID with my name and her photo. She acquired the iPhones at a store hundreds of miles from where I live, and charged them to my account on an installment plan. It appears she did not use either phone, perhaps intending to sell them. Worse yet, she may still be on the loose.

After I changed the password and added extra security to my online account, I called my carrier back several times to finish cleaning up this mess. 

I'm hardly alone in dealing with the aftermath of identity theft. Records of identity thefts reported to the Federal Trade Commission offer some insight into how often thieves hijack a cellphone account or open a new mobile phone account in a victim’s name.

In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2 percent of all identity theft incidents reported to the FTC that month. By January 2016, that number had increased to 2,658 such incidents, representing 6.3 percent of all identity thefts reported to the FTC that month. Such thefts involved all four of the major mobile carriers.

Identity theft reports to the FTC likely represent only the tip of a much larger iceberg. According to data from the Identity Theft Supplement to the 2014 National Crime Victimization Survey conducted by the Department of Justice, less than 1 percent of identity theft victims reported the theft to the FTC.

Recent media reports also chart the rise in this kind of fraud. In 2013, Forbes reported that the US government had seized over 5,500 phones acquired fraudulently by a Michigan business that was shipping them overseas. Organizations have found themselves mistakenly billed for devices, including 50 Denver customers fraudulently charged for iPhone 6s, iPads, and new service plans, and a North Carolina church that received an AT&T bill for 17 iPhones purchased by an identity thief. 

Fraudsters can steal information in more ways than ever. Using reverse-lookup websites, criminals can identify the carrier associated with any US phone number for free, and in some cases, they can also find subscriber's names and addresses. Black market websites also sell dossiers that include Social Security numbers. Victims can still fall for social engineering scams, too, including criminals that use fraudulent claims of service interruptions.

Some thieves can also use their victim’s hijacked phone number to gain access to financial accounts that use two-factor authentication through text messages, by purchasing the victim's bank account information, or obtaining it in a phishing attack.

Then they impersonate the victim and call the victim’s phone company to report that their phone has been damaged or stolen and convince the company to cancel the SIM card and activate a new SIM card with the victim’s phone number in the thieves’ phone.

Thieves can then make bank account transfers by responding to phone calls and text messages directed to the victim’s phone number in order to complete the transactions. The victim’s phone stops working as soon as the SIM card is swapped. It usually takes them several hours or days to get their phone service restored, and longer to notice that their bank account has been emptied.

This is what you can do

One of the most important steps you can take is to establish a password or PIN that is required before making changes to your mobile account. 

AT&T offers a feature they refer to as “extra security.” Once activated, any interaction with AT&T, whether online, via phone, or in a retail store will require that you provide your passcode. You can use your AT&T online account or the myAT&T app on your mobile phone to turn on extra security(link is external). Note, that when you login online with your passcode, you may be presented with the option to not be asked for it again. Do not accept this option or you will disable extra security.

Sprint asks customers to set a PIN and security questions when they establish service with Sprint, so no additional steps are needed to use this feature.

T-Mobile allows their customers to establish a customer care password on their accounts(link is external). Once established, customers are required to provide this password when contacting T-Mobile by phone. To establish such a password, customers can call T-Mobile customer service or visit a T-Mobile retail store.

Verizon allows their customers to set an account PIN. Customers can do this by editing their profile in their online account, calling customer service, or visiting a Verizon retail store. This PIN provides additional security for telephone transactions and certain other transactions.

Using this extra password or PIN is a good idea and should help reduce your risk of mobile account takeovers. However, it does not offer complete protection, so make sure you remain alert for phishing attacks, protect your financial account information, and examine your mobile phone and credit card bills carefully every month for signs of fraud. If your phone stops receiving a signal and says “emergency calls only” or “no network,” even after you restart your phone, contact your mobile carrier to see whether your account has been hijacked.

Also, log on to the Federal Trade Commission’s identitytheft.gov website, which includes step-by-step instructions to reporting the theft and the recovery process. 

What mobile carriers should do

Carriers should adopt a multilevel approach to authenticating both existing and new customers and require their own employees as well as third-party retailers to use it for all transactions.

Many mobile carriers are already obligated to comply with the Red Flags Rule, which, among other things, requires them to have a written identity theft prevention program.

This crime is particularly problematic due to the growing use of text messages to mobile phones as part of authentication schemes. The security of two-factor authentication that use phones depends upon keeping thieves away from stealing your phone number. Mobile carriers and third-party retailers need to be vigilant in their authentication practices to avoid putting their customers at risk of major financial loss and having email, social network, and other accounts compromised.

Lorrie Cranor is the chief technologist at the Federal Trade Commission. This post was adapted with her permission from a recent blog she wrote. Follow Lorrie on Twitter at @lorrietweet.