WASHINGTON (AP) — One Monday morning in May, I woke up and picked up my phone to read the news and scroll through memes. But it was out of cell service. I couldn’t make calls or text.
This, however, turned out to be the least of my problems.
Using my home Wi-Fi connection, I checked my email and discovered a notification that $20,000 was being transferred from my credit card to an unknown Discover Bank account.
I blocked that transfer and reported the mobile problems, but my nightmare was just beginning. Days later, someone managed to transfer $19,000 from my credit card to the same strange bank account.
I was the victim of a type of scam known as port-out hijacking, also called SIM swapping. It is a less common form of identity theft. New federal regulations aimed at preventing port hijacking are under consideration, but it’s not clear how far they will go in stopping the crime.
Port-out hijacking goes a step beyond hacking a store, bank account or credit card. In this case, thieves take over your phone number. Every call or message goes to them, not you.
When access to your phone is lost to a criminal, the very steps you once took to protect your accounts, like two-factor authentication, can be used against you. It doesn’t help for a bank to send a message to verify a transaction when the phone receiving the message is in the hands of the person trying to break into your account.
Even if you’re a relatively tech-savvy individual who follows every recommendation on how to protect your technology and identity, it can still happen to you.
Experts say these scams are only going to get bigger and more sophisticated, and data shows they’re on the rise.
I’m not the most tech-savvy person, but I’m a law school-educated journalist specializing in financial reporting. Because of the highly online nature of my work, I was taught all the methods to stay safe online: constantly changing my passwords with multi-factor authentication, logging out of apps I don’t use regularly, and keeping my personal information safe off the internet. .
However, despite being safe, I was vulnerable to criminals. And it took a lot of time and work before I got my money and phone number back.
The FBI’s Internet Crime Complaint Center reports that SIM swapping complaints increased more than 400% from 2018 to 2021, having received 1,611 SIM swapping complaints with personal losses of more than 68 million dollars.
Complaints to the FCC about crime have doubled, from 275 complaints in 2020 to 550 reports in 2023.
Rachel Tobac, CEO of SocialProof Security, an online security company, says the crime rate is likely much higher since most identity theft goes unreported.
She also says two-factor authentication is an outdated way to keep consumers safe, since it’s possible to find anyone’s phone number, birthday and social security number through any number of public databases or private on the web.
The ability of thieves to get hold of your personal information became clear again Friday when AT&T said nearly all of its customers’ data was downloaded to a third-party platform in a security breach two years ago. Although AT&T claims no personal information has been leaked, cybersecurity experts have warned that breaches involving phone companies leave customers vulnerable to SIM swapping.
Until now, switching numbers from one phone to another is easy and can be done online or over the phone. The process takes less than a few hours as long as a criminal has your personal information.
While consumers should be smart about having a variety of different passwords and protections, consumers should “put pressure on companies whose job it is to protect our data,” Tobac said.
“We need them to update their consumer protection protocols,” she said, since two-factor authentication isn’t enough.
FCC rules have recently changed to force companies to do more to protect consumers from this type of scam.
In 2023, the FCC introduced rules requiring wireless providers to “adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider” among other new rules. Companies can ask for more information when a customer tries to port a phone number to another phone — from requesting government identification, voice verification or additional security questions.
The rules were scheduled to go into effect July 8, but the FCC on July 5 granted the phone companies an exemption that delays implementation until the White House Office of Management conducts a further review.
The wireless industry had demanded the delay, citing among other reasons that companies need more time to comply. CTIA, which lobbies on behalf of the companies, said the new rules will require major changes in technology and procedures both within wireless companies and in their interactions with phone makers.
But if FCC rules were in place, my phone number could be harder to steal, experts say.
Ohio State University professor Amy Schmitz says the FCC’s new rules make it easier for consumers to protect themselves, but it still depends on consumer action and awareness.
“I still question whether consumers will be aware of this and take action to protect themselves,” she said.
It took ten days to get my number from Cricket Wireless – and that wasn’t until I told the company representatives that I was writing a story about my experience.
In that time period the fraudster was able to access my bank account three times and eventually successfully transferred $19,000 from my credit card — even though I removed my number from the bank account, froze my credit, changed all my passwords, among other measures.
Bank of America worked to return the $19,000 wire after I visited a branch near the AP’s Washington office.
Cricket apologized for the error and said in an email that “its expectation is to provide a much better customer experience.”
“Fraudulent exits are a form of theft perpetrated by sophisticated criminals,” said a company statement emailed to me. “We have measures in place to help defeat them and we work closely with law enforcement, our industry and consumers to help prevent this type of crime.”
An AT&T representative told me in an email that “all providers are working to implement the new FCC rules on port outs and SIM swaps.”
I’m still not sure how this person got access to my accounts, whether it was through my social security number, phone number or date of birth, or maybe a recording of my voice.
It was a hard lesson in how vulnerable we are when you lose control of our personal information that is so publicly available.