The Mother of All Scams… SIM Swap!
As the leaves of Fall were exploding in colors across many parts of the US, a man in his 50’s whom we’ll call Trevor (He has asked us to protect his identity) decided it was time to replace his old iPhone 7 plus. Apple had released the iPhone 11 only weeks earlier and Trevor was excited about upgrading. He stopped in at a local Verizon store to make his purchase, but needed help from the Verizon employee to transfer his apps and data over to the new phone. These things take time, but an hour after providing his pin, Trevor left the store very happy with his new purchase tucked into his jacket pocket. What he didn’t know, what he couldn’t possibly know, was that fifteen minutes after he left that Verizon store cybercriminals had replicated his phone number onto a different phone many states away in California, giving them the same access to all his accounts, texts and data in the cloud. At that moment, his new phone stopped working but he didn’t notice. In minutes they had shut him out of his email, scoured his accounts and apps for details they could monetize. They used his duplicated phone to try to access many of his accounts, including credit cards, bank account, investment accounts, and even his Uber account.
But Trevor had no idea that this was happening to him as he drove away to run errands before heading home. It was about two hours later when Trevor tried to get into his email. His email account kept replying with incorrect password. Frustrated, he tried to recover his password by selecting the “forgot password” reset feature only to discover that his account didn’t accept the answers to his security questions as well. And some of the security questions had changed! It was then that he also noticed that his phone was not working. There was no dial tone.
At this point, Trevor wasn’t suspicious of anything. He only knew that his new iPhone 11 wasn’t working and he couldn’t get into email. But he thought it was odd that this happened within two hours of purchasing his new phone. Maybe the Verizon salesman had messed up something when setting up his new phone? He needed to call Verizon as soon as possible. Trevor drove nearby to a friend’s house so he could use his friend’s phone. When he called the Verizon support number he spoke to customer service and explained how his phone no longer worked, and oddly, he couldn’t get into his email either. The Verizon support specialist put him on hold for a few minutes while he looked into the problem.
When the Verizon rep returned, he delivered horrible news that Trevor had never expected. The support specialist informed Trevor that his phone number had been ported to another phone fifteen minutes after leaving the Verizon store earlier that afternoon. After more digging, he told Trevor that someone had purchased a phone through Google and convinced a Sprint Representative in California to apply Trevor’s phone number to the newly purchased phone. Trevor didn’t live in California. The key that enabled someone to port Trevor’s phone number to a different phone in a different state was that they had his phone pin.
Sim port scams go by a variety of names, including “SIM swap,” “port-out scam,” “SIM splitting” and “SIM jacking.” This Wikipedia article describes details about this scam very well: https://en.wikipedia.org/wiki/SIM_swap_scam
Trevor was now in a panic and understood why he couldn’t get into his email account. The criminals had full access to his email and with that access and duplicating his phone, they had access to most of his accounts. Verizon gave him a temporary telephone number on his new phone and set it up so that he could receive texts sent to his previous phone number. As soon as it was set up, Trevor received a flood of texts confirming that his passwords had been successfully changed. Confirmations came from his email account, credit card account, bank account and even his Uber account. Texts also indicated that the criminals had tried to access Trevor’s other investment accounts but the additional security authentication on those accounts prevented them from getting in. He was now in a panic and spent hours reaching out to all of his services trying to regain control of his accounts.
Sadly, Trevor learned that the criminals had made multiple charges on his credit card account. Worst of all was that the criminals had already accessed his bank account and withdrawn $5500 through both a Zelle account associated with a Texas telephone number and Coinbase, a digital currency service. Fortunately, he learned that Federal insurance made it possible for him to get a full refund of this stolen funds and his credit card company credited his account for the fraudulent charges as well. But the process to reconcile what happened was terribly painful, and his pain didn’t stop there. The criminals were also buying stolen credit card numbers via Apple pay on Trevor’s phone. He had to shut down his Apple pay account too. Trevor said that it took him hours to cancel and lock up his many accounts. Regaining control of his email account alone took a couple of hours. But when he finally had access and changed his password, the criminals managed to change it again and lock him out once more. It turns out that they also had control over his iCloud account and were informed by that account that he had changed the password. He spoke to some people who were very savvy with Apple accounts and they figured out that the criminals very likely learned about his email password change because they had access to his iCloud account. So he shut down his iCloud account first, then changed his email account password. This prevented the criminals from getting back into his account.
It may surprise readers to learn that Trevor is an accountant. Digital security was second nature to him. But all of the 2-factor authentication to his accounts went directly to his phone. Once the criminals had stolen his phone number, and had his pin, they essentially had access to nearly his entire digital life. During this very painful process, Trevor learned that smartphone PINs are also sold on the black market so perhaps, he figured, that is how the criminals gained access. And yet, he kept thinking that it was far too coincidental that his troubles started 15 minutes after walking out of the Verizon store with a new phone. That and the fact that the Verizon employee who helped him, and who knew his pin, was no longer working at the Verizon store just 2 days later, according to the store manager.
Ironically, Trevor had an AARP Identity Protection Service that monitored online accounts and credit cards. This service didn’t identify the fraud or take protective measures to lock his accounts. He also said that the Police didn’t take much information from him when he called to file a complaint. In fact, he didn’t get a call back from a police detective for about a month. When the detective did call, he asked Trevor what information he had gathered! His effort to contact the FBI was even less encouraging. He went to the FBI personally. When he arrived at the FBI building and explained at the security desk why he had come and wanted to speak with an agent, they didn’t even allow him into the building. They told him to fill out an online form at the IC3.gov website. The agent who turned him away told Trevor that they get thousands of these complaints every day. Go file a complaint online was what he was told. Both the Police and FBI response felt like betrayals to Trevor. It took him many weeks to recover emotionally, and he still fears that the criminals may find a way to target him again since they had access to so much of his personal information.
We asked Trevor what was the most important lessons he learned from this horrible experience. His response was immediate… He said that all consumers should put a “port freeze” on their phones! Phone Carriers don’t tell people about this, or that it is even possible…. A port freeze means that no one can ever move your phone number to another phone or carrier unless he or she shows a picture ID at the store and the person answers a security question that was previously set up at the time of the freeze. After this experience he insisted that his family members put a port freeze on their phones. When his son called Verizon support, the representative told his son that they strongly recommend to customers who purchase a new phone that they should change both their phone pin number and put a port freeze on a phone as soon as they leave the store with their new phone! This suggests that Verizon headquarters may well know that they have a problem with some of their employees.
Trevor also pointed out that many answers to security questions people use for accounts are easily found through Internet searches, especially by digging into someone’s social media account. For example, he said it is no longer wise to use your mother’s maiden name as a security question and answer. We agree!
We hope our readers contact their phone carriers and add a port freeze to their phone accounts!
a) Brian Krebs is an excellent investigative reporter who also worked for the Washington Post for many years. He publishes a blog called Krebs on Security and wrote a series of articles about “Port-out scams” in 2018, including details about perpetrators of this scam.
b) The good folks at Clark.com have published important links and a number of excellent suggestions for consumers to do to protect themselves against port scams. Visit their article titled What Verizon, AT&T, Sprint & T-Mobile Are Doing to Prevent SIM Card Swapping.
(Thanks to pxfuel.com for use of their royalty-free images.)