What’s worse than thieves breaking into your bank account? When they steal your phone number too

WASHINGTON (AP) — One Monday morning in May, I woke up and reached for my phone to envision the news and browse memes. But there was no signal. I couldn’t make calls or text messages.

But it turned out that this was the least of my problems.

Using my home Wi-Fi connection, I checked my email and saw a notification that $20,000 had been transferred from my bank card to an unfamiliar Discover Bank account.

I foiled the transfer and reported the cell phone issues, but my nightmare was just starting. A couple of days later, someone managed to transfer $19,000 from my bank card to the identical strange bank account.

I fell victim to a scam often called port-out hijacking, also often called SIM swapping. This is a less common type of identity theft. New federal laws aimed toward stopping port-out hijacking are currently being considered, however it is unclear how far they will go in stopping this crime.

Port-out hijacking goes beyond breaking into a store, bank, or bank card account. In this case, thieves take your phone number. Any calls or text messages go to them, not you.

Once your phone is compromised by a criminal, the identical steps you once took to guard your accounts, equivalent to two-factor authentication, will be used against you. It doesn’t help when your bank sends you a text message to confirm a transaction when the phone receiving the text message is within the hands of somebody attempting to hack into your account.

Even when you’re a reasonably tech-savvy person and follow all of the recommendations to guard your electronic devices and identity, this could still occur to you.

Experts say these scams will change into more common and complex, and data shows they are continually growing.

I’m not a tech-savvy person, but I’m a legal-trained journalist who focuses on financial reporting. Because of the highly online nature of my job, I used to be taught all of the methods of staying secure online: continually changing passwords with multi-factor authentication, logging out of apps I don’t use often, and keeping my personal information off the web.

Even though I used to be secure, I used to be vulnerable to criminals. And it took me quite a lot of time and work to get my money and phone number back.

The FBI’s Internet Crime Complaint Center reports that SIM swap complaints increased by more than 400% between 2018 and 2021. There were 1,611 SIM swap complaints filed, with personal losses totaling more than $68 million.

The number of criminal complaints to the FCC has doubled from 275 complaints in 2020 to 550 reports in 2023.

Rachel Tobac, CEO of online security firm SocialProof Security, says the crime rate is probably going much higher because most identity thefts go unreported.

He adds that two-factor authentication is an outdated approach to keeping consumers secure because anyone can find their phone number, date of birth and Social Security number online through any number of public or private databases.

The possibility of thieves obtaining your personal information was exposed again Friday when AT&T said nearly all of its customer data was downloaded to an out of doors platform in a security breach two years ago. While AT&T said no personal information was leaked, cybersecurity experts warn that breaches involving telecom corporations expose customers to SIM swapping.

These days, changing a number from one phone to a different is straightforward and will be done online or over the phone. The process takes less than a couple of hours if the criminal has your personal information at hand.

Featured Stories

Consumers have to be smart about using different passwords and protections, Tobac said, but they also must “put pressure on the companies tasked with protecting our data.”

“We need to update consumer protection protocols,” she said, because two-factor authentication just isn’t enough.

FCC rules were recently modified to force corporations to do more to guard consumers from some of these scams.

In 2023, the FCC introduced rules that require wireless service providers to “adopt secure customer authentication methods before routing a customer’s phone number to a new device or to a new provider,” amongst other latest rules. Companies could require more information when a customer tries to port a phone number to a different phone, from requiring government identification, voice verification or additional security questions.

The rules were set to take effect July 8, but on July 5 the FCC granted telecom corporations a waiver that delays implementation of the principles pending further review by the White House Office of Management.

The wireless industry had been pushing for a delay, citing, amongst other things, that corporations need more time to comply. CTIA, which lobbies on behalf of the businesses, said the brand new rules would require major changes to technology and procedures each at wireless corporations and of their interactions with handset makers.

But experts say if FCC rules had been in effect back then, it might have been harder to steal my phone number.

Ohio State University professor Amy Schmitz says the FCC’s latest rules make it easier for consumers to guard themselves, however it still is dependent upon consumer motion and awareness.

“I still have doubts that consumers will be aware of this and take action to protect themselves,” she said.

It took ten days to get my number back from Cricket Wireless — and that was only after I told company representatives I used to be writing an article about my experience.

During that point, the scammer managed to access my bank account thrice and ultimately managed to transfer $19,000 from my bank card — though I removed my number from my bank account, froze my credit, modified all my passwords and took other measures.

Bank of America took motion to reverse a $19,000 wire transfer after I visited a branch near the AP office in Washington.

Cricket apologised for the error and said in an email that it “expects to provide a much better experience for customers”.

“Port-out fraud is a form of theft perpetrated by sophisticated criminals,” the corporate said in an emailed statement. “We have implemented measures to help defeat them, and we work closely with law enforcement, our industry, and consumers to help prevent this type of crime.”

An AT&T representative informed me in an email that “all carriers are working to implement the new FCC rules regarding number porting and SIM swaps.”

I’m still unsure how this person accessed my accounts – whether through my Social Security number, phone number, date of birth, or possibly a recording of my voice.

It was a painful lesson in how vulnerable we’re once we lose control over our personal data that’s so publicly available.