Identity thieves have a new way of gaining access to your finances. Even if you’ve frozen your credit report, they can grab your money by taking over your phone number. It’s called “SIM swapping.” It’s all done electronically, and it defeats the authentication controls that most banks have in place.
You may have been frustrated lately by financial institutions requiring two-factor authentication to log into your account. Instead of just requiring a username and password, they now send you a text message by SMS to your cell phone in to verify your identity with a six-digit PIN that you must enter to gain access.
But what if the number attached to your SIM card on your phone is itself stolen? You have your cell phone in your hand, but someone has gained enough information about you to contact the phone company, transferring your phone number into a phone sitting in their hand!
If it sounds impossible, think again. The FBI’s Internet Crime Complaint Center (www.IC3.gov) has seen a growing number of SIM swap fraud reports. It has happened to famous people, including television producer Andy Cohen (who told his story on “The Today Show”), and countless other victims, with reported losses in the millions.
Once a scam artist electronically transfers your phone SIM card, that two-factor authentication PIN goes to his phone — not yours. And when the thief confirms the transaction, all your money is wired out of your account to his account!
Even worse, when you finally wake up to the lost money, the bank says you are not covered for fraud, since they sent you a PIN and you (or in this case, the fraudster) entered the PIN, thereby “participating” in the fraud. They deny your claim — and your money is lost!
Here’s how it works
It’s easier than you think to get enough information about you to have your SIM card transferred electronically from your phone to another. You do it every time you upgrade and get a new phone.
But if your personal information (such as your pet’s name, street address or even your bridal registry) is easily searchable online, you could become a victim. The cybercriminal’s goal is to pretend they’re you by using that information to trick your cell phone service provider into granting access to your phone number and account. Then it’s as simple as porting your SIM to their device.
Then they call the phone company pretending to be you, saying your phone is lost, and asking to transfer your SIM to the new phone they are holding. Or, according to the FBI, they may bribe or blackmail low-level employees in telephone stores to transfer the numbers to new SIMs.
Once they control your phone number, it’s open sesame for all your financial accounts.
How to protect yourself
—Download an authentication app for your cell phone. Microsoft and Google offer them, as do many other companies. Since the app resides on your phone, the fraudsters cannot access it. You’ll have to set up two-factor authentication for that website — and then use this program instead of a SMS text message.
—Ask your cellphone provider to require extra steps for verification, such as a “SIM PIN,” before allowing your phone number to be ported. That is a multi-digit code that you’ll need any time you want to move your number to a new phone. Without the PIN, your number stays put.
—Use the “strong password” option that generates a random password for each of your accounts. Then store it in a “password manager” program such as Aura, Keeper or Dashlane. (Search for these apps and download them.) Then you only need to remember the main password that accesses your stored passwords.
Sadly, you can easily and inexpensively get all this sophisticated protection, but it won’t work if your financial institution insists on sending SMS text messages and doesn’t allow you to use an authenticator app. FBI Special Agent Ali Sadiq of the Cyber Criminal Investigative Squad says: “Banks need to catch up with best authentication practices — unfortunately, they are all still using SIM texts. Your email account that requires an authenticator may have far better security than your bank account.”
Still, it’s worth trying to derail the SIM swappers. Agent Sadiq reminds us: “You don’t need perfect security to avoid being victimized. By using something as simple as stronger authentication on your online accounts, criminals will likely skip over you and move to lower hanging fruit.” Well, I hope that’s The Savage Truth.
(Terry Savage is a registered investment adviser and the author of four best-selling books, including “The Savage Truth on Money.” Terry responds to questions on her blog at TerrySavage.com.)