Lorrie Cranor wasn't too worried when her phone died a few weeks ago. Dropped calls are as common as delayed trains and cracked screens. The next morning, it was still dead. Her husband’s was too. And that’s how the chief technologist of the Federal Trade Commission discovered that someone hijacked her mobile account.
Cranor is not just tech-savvy. She’s a digital security guru, a Carnegie Mellon University professor who specializes in passwords and authentication. And she is a reminder that identity theft can happen to anyone. Even the experts.
Here’s what happened to Cranor, as best as she can tell: A woman walked into a retail carrier store in Ohio, identified herself as Lorrie Cranor and bought two Apple iPhones on an installment plan. She billed them to Cranor's account and walked away. That’s all it took. No elaborate Ocean’s Eleven plot, no fanciful Swordfish hacking.
“The thief would have needed to know my name, my mobile phone number, and make a fake ID,” Cranor says. “It’s possible that the store could have asked for the last four digits of my SSN, but even that is not that hard for an identity thief to come by.”
The identify thief used an increasingly common trick called phone account hijacking. In a post detailing her experience, Cranor says the number incidents reported to the FTC has more than doubled in the past three years. And it's endemic to all the major carriers, which is one reason Cranor declines to call out her carrier.
What makes account hijacking so insidious is it can happen even if the victim is scrupulous about protecting personal data. Much of the information needed for this hack is available on reverse-lookup sites that link phone numbers with names. That’s why even someone as informed as Cranor could be compromised.
“There are some victims that clearly fall for phishing attacks,” says Cranor. “In my case, I’m pretty sure that didn’t happen… There are so many ways that people can get access to the identity information that’s needed for this.”
So, great, it can happen to anyone. How can you keep it from happening to you?
The good news for Cranor is that once the carrier knew what happened, it fixed it. Mostly.
“They immediately removed the charges,” Cranor says. “But then there were glitches. On one of my phones, the voicemail didn’t work. It took several days to fix. When they reactivated one of the other phones, they accidentally put the wrong phone number on it, so we had to go back to the store again to fix that.”
Annoying, sure. But Cranor got her life back in order relatively quickly. The consequences can be far more devastating. A stolen phone number paired with a matching credit card number can lead to mobile payment fraud. Worse, a hijacked phone number can lead to a "SIM swap" scam in which a hacker convinces a carrier to cancel an existing SIM card and activate a new one, tied to the victim’s number but held by the hacker. This lets the bad guy will receive texts intended for the victim---including two-factor authentication prompts. So long, bank account.
There's not much you can do to prevent any of this, though the four major US carriers---AT&T, Sprint, Verizon, and T-Mobile---let customers protect their account with a PIN or password that must be entered before altering the account. Cranor hadn’t enabled hers, but has now. Beyond that, the best you can do is hope to catch the problem before any damage is done.
“Before I realized what was going on, my phone said ‘emergency calls only,’ and I thought it was bad coverage,” Cranor says. “If you see that, it’s probably not bad coverage. There’s probably something else going on.”
Cranor says there are “some areas where either the FTC or FCC might be able to do something” but declined to elaborate. The two agencies are charged with keeping companies on-task when it comes to protecting customers. If they couldn’t protect a leading security expert, it’s safe to assume some changes are in order. Here's hoping her experience can save others from the same headache.
