It turns out that online services like Facebook, Google and Twitter that use a cell phone number as a security backup, are easier to hack than we thought. Worse – they are also changing the account access to virtual wallets and draining the accounts.
Hackers have been contacting cell phone carriers like AT&T, T-Mobile, and Sprint and having them transfer a victim’s phone number over to one in the possession of the hacker.
Once they have control over the victim’s number, it’s easy to reset online account passwords that use SMS as an option.
Lorrie Cranor, FTC Chief Technologist was even a victim and he wrote a paper that outlines his experience.
“A few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers. My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft.”
He also wrote, “Records of identity thefts reported to the FTC provide some insight into how often thieves hijack a mobile phone account or open a new mobile phone account in a victim’s name. In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2% of all identity theft incidents reported to the FTC that month. By January 2016, that number had increased to 2,658 such incidents, representing 6.3% of all identity thefts reported to the FTC that month. Such thefts involved all four of the major mobile carriers.”
While each carrier has it’s own recommendations on how to prevent this from happening, the number one thing that major phone carriers recommend is to have a PIN number that is required prior to making any changes to your account.