SIM-swapping scam lets fraudsters drain your accounts

Carmen Chai

Tue, Oct 25, 2016, 8:00 AM

Your smartphone mysteriously goes dead, and you call your service provider only to learn that someone purchased and activated a new iPhone under your account. A fraudster pretended to be you, alleged that your phone was lost and started fresh with your number and any mobile banking, credit cards and other accounts tied to it.

The SIM-swapping scam has been around for about five years, but the number of cases in the U.S. is growing, experts warn.

In January 2016, 2,658 SIM-swapping reports were filed with the Federal Trade Commission, representing 6.3 percent of all identity theft complaints filed with the agency. That’s up from 1,038 SIM-swap fraud reports and 3.2 percent of total identity theft reports in January 2013.

“While 6 percent may not seem like a lot, it’s increasing,” says FTC chief technologist Lorrie Cranor. “And these are just people who report to the FTC. We know not everyone reports this to us, so these numbers are just the tip of the iceberg,” she adds.

SIM-swapping scams come with major repercussions – fraudsters with your phone’s SIM card can gain access to bank accounts, credit cards and the tools needed to get and abuse more credit under your name..

What are SIM-swapping scams?
The SIM-swapping scam is a two-step process, says John Breyault, vice president of public policy in telecommunications and fraud at Fraud.org.

For starters, identity thieves pull together the information they need to convince your wireless provider that they’re you. It’s as simple as gathering your name, Social Security number, street address and your employer.

They can get this information through a phishing scam via email or by pretending to be your service provider and asking you to verify your identity.

With a fake identity in tow, they head to your wireless service provider’s storefront, pretending “their” phone was lost or damaged and needs replacement.

“In every cellphone, you have what’s called a SIM or subscriber identity module – a little chip,” says Breyault. Fraudsters who pulled enough information to convince your wireless carrier that they're you “pick out a new phone, get a new SIM, and that SIM is encoded with your information.”

Suddenly, your phone goes dead, and you’re on the hook for a new phone charged to your account.

The scam doesn’t stop with getting the phone, though.

To complete this more sophisticated fraud, fraudsters can collect the login credentials to your online financial accounts, and utilize their access to your phone number to bypass the multi-factor authentication protections.

“A savvy identity thief who wants to attack your bank account will know all texts going to your phone,” Breyault says.

With your phone, the fraudster can “bypass two-step authentication. They have access to your credit card, they can transfer funds, sign up for credit cards,” he says. “That’s worrisome.”

How prevalent are SIM-swapping scams?
Cranor herself was a SIM-swap fraud victim. Earlier this summer, her cellphone went dead.

“I assumed it was bad coverage or something -- until the next morning, I realized my husband’s phone wasn’t working either,” Cranor says.

She called their service provider to learn that someone claiming to be her had purchased two new iPhones with new SIM cards that were activated.

Later, she learned that the fraudsters had walked into a store in Ohio with a fake ID with her name and photo in hand, hundreds of miles from where she lived, and charged the new phones to her account.

Cleaning up the mess was a tedious process: Her service provider refunded the cost of the new phones, she and her husband had to get new SIM cards, and she had to argue to have charges removed for upgraded features and insurance on the devices the fraudsters had tacked on her bill.

That's all minor compared to some of the reports she's seen filed the federal government’s identitytheft.gov website. Some people didn’t know their SIM card had been swapped until their bank accounts were drained, or they got a call from their credit card company the next day flagging irregular spending.

‘They even hijacked my iPad’
Dena Haritos Tsamitis, director of Carnegie Mellon University’s Information Networking Institute, didn’t notice her phone went dead as she hurried from meeting to meeting at work one day in March.

When she called her service provider, she learned that someone impersonating her had upgraded her account and purchased two new iPhones.

A SIM-swapping scam “wasn’t on my radar at all,” she says. “We’re so focused on people getting into online accounts, but this is a traditional case of someone using false credentials in a store,” she says.

“They even hijacked my iPad,” she says. “I felt completely violated, and wondered why it was me and how I got picked.”

To get her digital life back, Haritos Tsamitis had to get a new phone and new SIM card. She also signed up for – and pay out of pocket for – a credit freeze and credit monitoring in case fraudsters were trying to open accounts in her name.

SIM-swapping fraud arrives in the U.S.
SIM-swapping scams first surfaced in Australia about five years ago, says Rodger Desai, chief executive officer of PayFone, a New York City-based mobile security authentication company. Then cases started popping up in Europe, and early in 2016 several news stories focused on the fraud.

In the U.S., SIM-swapping fraud “is very, very hot right now.”

To stop the scam, PayFone uses algorithms to check the authenticity of a transaction, Desai says.

If you’re calling the bank to open a new account, or you’re transferring funds on your phone, as examples, more than 400 factors are analyzed to assess your riskiness before the transaction is approved. If you’ve just activated a new phone, received a new number, or any other anomalies pop up, they’re flagged, and the transaction won’t be processed.

“Most of the time nothing has changed – you haven’t lost your device, or your address is the same,” he says. All of this “happens in real time because fraud happens so quickly.”

Desai watched as the mobile phone number’s importance took off in the past few years. It suddenly became the master key to get into accounts, such as email, DropBox and bank accounts.

“We saw banks relying on [two-step authentication] to confirm identity, but it’s a very poor system,” he says. “It’s very trivial how easy it is to take over someone’s phone number.”

What’s being done to reduce the risk of fraud To stem SIM-swapping fraud Sprint, T-Mobile, AT&T and Verizon have adopted PINs, passcodes and passwords to better protect customer cellphone accounts.

AT&T now requires customers to provide a passcode before any online, phone or in-store interaction. The passcode can be turned on online via the customer’s account or through the myAT&T app.

Sprint customers must set up a PIN and security questions.

Verizon requires customers to set up a PIN either through their online profile, by calling customer service or when visiting a Verizon store.

T-Mobile users can create customer care password on their accounts, and setup can be done in store or over the phone.

As mobile phone users, you have to do your part, too.

While you may have set up a PIN with your service provider, you’re still on the hook to watch out for phishing attacks, security experts say.

Always diligently check your credit card and phone statements, and if your phone mysteriously loses its signal or turns to “no network” or “emergency calls only,” contact your service provider immediately if restarting your device doesn’t help.

In the event fraudsters have swapped your SIM and purchased new phones, Cranor and Haritos Tsamitis urge fellow victims to file a police report and a complaint with the FTC, identitytheft.gov and fraud.org.

Before this happened to Cranor, the privacy and security expert hadn’t even heard of a SIM-swapping scam. Now she’s making awareness – and provider security precautions – a priority. She even wrote a blog post on the FTC website about her experience.

One problem, Cranor says, is “people who work in phone stores aren’t trained to scrutinize driver’s licenses. There are tools that are available that could help them do a better job, but they aren’t provided.”

Something as simple as texting or calling her before putting through the fraudster’s order for new phones would have verified whether her phone was indeed lost, she says.

“If they had texted or called me, I would’ve responded, and this wouldn’t have happened,” Cranor says.

Forget Nvidia: Members of Congress Are Scooping Up Shares of Its Core Rival Instead
There's a much more popular AI stock on Capitol Hill than the leading AI chip maker.
Motley Fool•23h ago
Fed's Powell, jobs report and Apple will rock markets this week
In addition to economic and earnings news, inflation and geopolitical worries will have roles to play.
TheStreet•2h ago
Nvidia Owns a 3.4% Stake in This Innovative Artificial Intelligence (AI) Stock Cathie Wood Loves
The $50 million purchase could turn into Nvidia's biggest investment.
Motley Fool•19h ago
Trump to set interest rates himself under secret presidential plan
Donald Trump’s aides have drawn up secret plans to oust the chairman of the Federal Reserve and allow the president to set interest rates, according to reports.
The Telegraph•2d ago
Generative AI Software Sales Could Soar 6,260%: My Pick for the Best AI Stock to Buy Now (Hint: Not Nvidia)
This little-known software stock could soar as businesses spend more on generative artificial intelligence.
Motley Fool•23h ago
California Fast-Food Chains Are Now Serving Sticker Shock
A month after a higher state minimum wage for fast-food workers went into effect, consumers picking up burgers and burritos at chains in the Golden State grapple with prices rising at a faster clip than in other states.
The Wall Street Journal•3h ago
2 Incredibly Cheap Dividend Stocks to Buy Now
These two dividend payers have historically high yields and attractive businesses, even though there are some headwinds to deal with.
Motley Fool•10h ago
Tesla and Microsoft presented 2 distinct versions of AI. Investors liked both.
Earnings presentations from four of the biggest tech companies in the world showed two very different visions of AI: the moonshot and the incremental gains.
Yahoo Finance•19h ago
My late aunt gave her husband a life tenancy in her home — but her attorney won’t even let us see the will. Is this a bad sign?
“When she died, we were told by her attorney that we were responsible for the taxes and property insurance during the time when the life tennant lives in the home.”
MarketWatch•10h ago
In 4 Days, Philip Morris Stock Becomes an Even Better Investment
The tobacco giant will soon be allowed to sell a proven product in a proven market.
Motley Fool•11h ago

News

Life

Entertainment

Finance

Sports

New on Yahoo

Yahoo Finance

SIM-swapping scam lets fraudsters drain your accounts

Recommended Stories

Forget Nvidia: Members of Congress Are Scooping Up Shares of Its Core Rival Instead

Fed's Powell, jobs report and Apple will rock markets this week

Nvidia Owns a 3.4% Stake in This Innovative Artificial Intelligence (AI) Stock Cathie Wood Loves

Trump to set interest rates himself under secret presidential plan

Generative AI Software Sales Could Soar 6,260%: My Pick for the Best AI Stock to Buy Now (Hint: Not Nvidia)

California Fast-Food Chains Are Now Serving Sticker Shock

2 Incredibly Cheap Dividend Stocks to Buy Now

Tesla and Microsoft presented 2 distinct versions of AI. Investors liked both.

My late aunt gave her husband a life tenancy in her home — but her attorney won’t even let us see the will. Is this a bad sign?

In 4 Days, Philip Morris Stock Becomes an Even Better Investment