Opinion articles provide independent perspectives on key community issues, separate from our newsroom reporting.

Op-Ed

Hackers can use your cell phone number to rob you. I found out the hard way.

John Winn Miller
John Winn Miller

Last week someone really had my number, as in stole my cell phone number – not the physical phone — to use for hacking into my financial accounts and for extortion. I am sharing my experience – and preventative measures I learned about — in hopes others won’t have to endure what I did.

This kind of identity theft has a lot of names: illegal port transfer, port out scam, SIM swapping attacks, SIM hacking. And, I was shocked to learn how easy it is for thieves to convince phone companies to transfer phone numbers, and how hard it is to fix the problem.

Here’s what happened.

On Friday afternoon, I got a text message saying “a request to transfer (my number) from AT&T to a new service provider is in process. Call (AT&T’s number) if you did not request this change.”

In shock, I called immediately. But my phone went dead. The switch – called a port transfer – happened before I could finish dialing the number. With the transfer, I began an agonizing hour of trying to contact all the phone companies and my financial institutions using my wife’s phone. We no longer have a landline.

A couple of hours later, my wife got a call – from my number – from someone demanding $20,000 to return my cell number. She declined the offer.

Then worse news arrived in an email from Chase headlined: “Wire Template Activated.”

Someone named Jason Carter was trying to transfer $1,900 out of my checking account. Imagine my panic as I first tried to log onto my Chase account only to get a message that my computer was not recognized and would require two-factor authorization – meaning a text message to my phone i.e. the thief’s phone. Aaargh.

Fortunately, the bank suspected fraud and halted the transfers. But I’ve read online about people losing thousands of dollars to this scheme from their accounts.

It took some time to find the fraud departments at my financial institution, and even longer to reach someone to freeze my accounts and shutdown online access.

The phone companies were no easier to deal with. When I finally got through to AT&T’s Fraud Department, I learned my number had been transferred to Metro PSC. AT&T promised to get right on it and have my number returned to me in three-to-five business days. WHAT!?

I was furious and spent the rest of the night changing passwords on every financial or social media account.

The next day, I called Metro PSC (more hold time) and was told there was nothing they could do, but they suggested a local office might be able to help if I brought my driver’s license to prove my identity.

The local Metro agent was horrified and immediately tried to suspend the number. But his computer wouldn’t let him do that without the PIN number i.e. the thief’s PIN number. Luckily, the agent took pity on me and figured out a way to cancel the number.

So, how did this happen and what can you do to protect yourself?

All AT&T requires to transfer a cell number to another company is the account number and a PIN.

But here is the outrageous part. There was no two-factor notification. AT&T did not text me about the transfer and wait for me to approve it via my phone. AT&Ts “port transfer department” told me it was a growing problem but there was nothing they could do.

Wrong. And that’s why I will never do business again with AT&T. It has been a known problem for years, and AT&T has been sued over it more than once. The FBI warned about it in 2019.

The four major phone companies even formed a Mobile Authentication Taskforce that recently released a multi-factor authentication app called ZenKey.

Other phone companies have taken even more effective steps.

Verizon, for instance, not only requires a PIN but also allows users to set up two-factor verification on their accounts, meaning you have to prove your identity via text or email. Plus, Verizon offers a “Number Lock” option on its mobile app and website that prevents any transfers. Now that’s a company that takes security seriously.

John Winn Miller is a retired journalist living in Lexington who writes screenplays, produces independent movies and is a partner in a social media startup called Friends2Follow.

TIPS SIDEBAR

Here are some ways to protect yourself from SIM hacking and other identity theft scams.

Set up a unique PIN on your phone account.

Do not use the same PIN or password on multiple accounts. To make passwords easier to create and remember, use a password manager like LastPass (my choice) or Dashlane. And, change passwords every three months.

Set up “Number Lock” on your phone. Don’t do business with a company that does not have this function.

Check with your financial institutions to see if they use Voice Verification (Vanguard) or Verbal Passwords (Chase) to verify your identity over the phone.

Put a credit freeze on your accounts at all three national credit bureaus – Equifax, TransUnion and Experian. That way no one can use your stolen identity to get a new credit card or loans in your name. You can also put fraud alerts on your credit reports.

Call the National Consumer Telecom & Utilities Exchange (NCTUE) at 1-888-349-3233 and request a copy of your report and add a fraud alert. This is a company owned by Equifax that warehouses consumer payment data related to utility bills – cable, electric, gas, water and phone. (I had no idea this existed.)

Make sure you have handy the fraud department phone number for all your utilities and financial institutions and credit cards. You’d be surprised at how hard they are to find.

Set up two-factor authorization on ALL of your accounts. That means even if someone gets your passwords, they cannot log in to your accounts without the passcode that will be sent to your phone by text or email. (This is a flawed system if you have lost your phone.) You can also use authentication app such as Google Authenticate or Authy (my preferred one), or security keys that plug into your devices and verify your identity.

Bonus Tip: I no longer give my credit card numbers to companies where I have recurring or frequent payments. Those are too easy to hack. Instead, I use a service called Privacy.com, which creates a unique debit card number for each merchant. They can only be used with that merchant and you can set spending limits or make it for one-time use only. That way, if my account with a merchant is hacked, they only get a useless debit card number.

Get one year of unlimited digital access for $159.99
#ReadLocal

Only 44¢ per day

SUBSCRIBE NOW