I was one of the victims of the recent Equifax data breach, which compromised my credit card numbers. Someone tried to use one of them, but fortunately the transaction raised some security flags at the issuing bank, which contacted me to confirm the transaction was mine. As soon as they knew it wasn't, they canceled my card and reissued it with a new number. Needless to say, this was inconvenient and frustrating - and it put me on my guard.
A few days later, my cellphone carrier's customer service department left a voice message on my phone, thanking me for my call and wanting to know whether their customer service had been satisfactory. Would I please return their call and complete a short survey? That was all very well . . . except that I hadn't called them! I immediately got hold of their local office, and asked them what was going on. It turned out someone had called them, saying that they'd lost their (my) phone, and had bought a new device. Would they please switch my phone number to the new device? The caller wasn't able to provide the account PIN that I'd (fortunately) set up, so the representative to whom he spoke didn't comply with his request, instead advising him to call back when he could remember or locate the PIN.
I asked the local customer service people for more information. It turns out that this is an increasingly popular fraud technique. If scammers can get hold of your financial information (as they did mine), but find that every important account is protected by mobile phone two-factor authentication (as mine are), they'll try to switch your phone number to their device. If they succeed, they can strip your assets in no time. The New York Times reports:
In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.
Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.
. . .
A wide array of people have complained about being successfully targeted by this sort of attack, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission’s own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658.
. . .
Mobile phone carriers have said they are taking steps to head off the attacks by making it possible to add more complex personal identification numbers, or PINs, to accounts, among other steps.
But these measures have not been enough to stop the spread and success of the culprits.
. . .
Adam Pokornicky, a managing partner at Cryptochain Capital, asked Verizon to put extra security measures on his account after he learned that an attacker had called in 13 times trying to move his number to a new phone.
But just a day later, he said, the attacker persuaded a different Verizon agent to change Mr. Pokornicky’s number without requiring the new PIN.
There's more at the link.
I've no idea why the fraudster(s) concerned would have tried to hack my phone account in that way. I'm no financial fat-cat with lots of money in the bank. It may be linked to the hacking of my credit card account; that particular card had a relatively high credit limit, so the hacker(s) may have wanted to use it to buy something expensive. At any rate, the fact that I'd set up a PIN on my phone account prevented them from having the number transferred - this time, at least. I've added a security note to my file with the service provider, asking them not to permit any remote request to transfer the number to a new device. That may be inconvenient for me in the event of an emergency, but I hope it'll add another layer of security to my arrangements.
Karl Denninger waxes vitriolic at the phone companies for allowing this to continue.
See, it typically doesn't take one such attempt, because most [cellphone company] agents will follow protocol and refuse without you in some way verifying who you actually are -- such as by using a PIN number you put on the account, and which the thief doesn't know.
So why is it that these guys get dozens or even hundreds of bites at the apple?
See, that's the problem, and it's an intentional problem. In other words the cell companies could trivially log the number of bad attempts -- when you call into the company asking them to do something and don't know the password their call management software could increment a counter and after some reasonable number of failed tries in some period of time, say three, it would then require you to go to a physical store and present positive identification.
. . .
One or two wrong responses is one thing -- yes, people forget, or they use a couple of different PINs and they get the wrong one the first or second time.
Thirteen times? No, that's quite obviously attempted fraud and not only did Verizon not lock his account against those repeated attempts after a rational number of failures to authenticate they didn't call him either nor did they follow their own rules despite being warned in advance that his account was under attack!
There's utterly no reason to allow this sort of horse**** to go on, but just like all the other scams of the day utterly nobody at the telcos will be held accountable for what amounts to being an accessory before the fact to grand theft ... Firms that intentionally ignore repeated hack attacks on a customer's account and not only fail to stop them they also fail to notify the customer that they're under attack need to be held financially and criminally responsible for the harm that ensues.
Again, more at the link. It's hard to disagree with him.
Friends, the Equifax data breach is very serious indeed - but it's only the latest in a long series of such breaches. Our personal and financial information is no longer secure, and we need to take strong measures to protect ourselves as best we can. I urge you to use Equifax's inquiry Web page to find out whether your information was compromised, and if so, to make use of the free credit monitoring service Equifax is offering to all affected consumers. Also, I strongly suggest that you use two-factor authentication on all your financial accounts, and contact your cellphone service provider to ensure that you've implemented all the security measures available to you, to prevent this sort of thing happening to you.