(KPIX 5) — Identity thieves are increasingly turning to a new scheme: taking over mobile phone accounts, posing as the account holder, and collecting the upgrades for any phones registered to that account.
Lindsay Heard knows what it’s like to be a victim. Back in July, the Bay Area resident says everyone on her AT&T family plan – except her – suddenly found themselves without working cell phones. “My dad, my sister and my husband – all their phones stopped working,” Heard told KPIX ConsumerWatch.
When Heard called AT&T to find out why, she eventually discovered a thief had hijacked her family’s account. They did it by crafting a fake ID with Heard’s name and posing as her at a store in the Midwest.
“Someone in Nebraska had walked into a Best Buy and upgraded all three phones that had upgrades available,” Heard said. In all, three iPhone6’s were billed to her account.
She’s got plenty of company. The Federal Trade Commission said the number of victims of what’s known as “cellphone hijacking” has more than doubled in the past three years, with 2,658 reported incidents in January 2016 alone. Among the victims: the FTC Chief Technologist Lorrie Cranor, who recently blogged about her experience. Customers of all four major carriers, AT&T, Sprint, T-Mobile and Verizon, have been affected.
So how does it happen? Dan Goodin of Ars Technica says it starts with a crook accessing your private information, often through a data breach. “There have been a dizzying number of breaches,” Goodin told ConsumerWatch. From there, criminals get enough information to pose as the account holder, sometimes by creating a fake ID.
Security experts say the problem extends far beyond the inconvenience of losing phone service or fighting fraudulent charges. When crooks transfer your number to the new phones, they may gain access to the account holders most critical accounts. “Increasingly, Facebook, Bank of America, Google, Wells Fargo – they’re all using your cell phone as a secondary measure to prove who you say you are,” according to Goodin. “For all practical purposes, I am you for the purpose of this phone.”
Still, Goodin believes the prime motive is to get free phones. “Evidence suggests people are taking these accounts over in an attempt to get their hands on new phones,” he said.
The FTC recommends customers set up a password or PIN with their carrier that’s required before making any changes to a mobile account. But Goodin says each carrier has a different way of doing that. “It’s a piecemeal solution right now,” Goodin said.
Best Buy said it requires workers to “verify” customer ID’s before completing a transaction. AT&T said it requires a photo ID and the last four digits of a customer’s social security number before making a change to a account or allowing a phone upgrade.
After a few calls to AT&T and visits to an AT&T store, Heard’s phone situation got straightened out, but she said it was a headache. Her family members had to switch out their SIM cards and AT&T is covering the fraudulent charges. But Heard said carriers need to do more. “I just don’t want this to happen to other people.”