Flight attendant Eunice Lockett Thomas couldn’t understand why her Chase debit card was declined in early June as she tried to pay a dinner bill while vacationing in Hilton Head, South Carolina.
Thomas’ sisters, who were also at the dinner, planned to pay a portion of the tab. So they sent money to Thomas through the Cash App, a payment transfer app that acts like a debit card for small transactions, on her iPhone 11.
“While we’re sitting there, I could see the transactions from the Cash App, but I couldn’t do anything about them,” says Thomas, 72. “I had no control over my phone. I couldn’t make calls, I couldn’t receive calls. I could only see kind of what was going on.”
This went on for two days before she returned home to New York and visited her carrier, T-Mobile. A customer service representative replaced her phone’s SIM card.
Thomas was apparently a victim of a SIM swap attack, an all-too-common industrywide scam involving a hijacking of the Subscriber Identity Module chip card found inside smartphones, which links your phone number and account information to your mobile provider.
Thomas’s saga got a lot worse. She learned that requests for money were also sent out in her name to her contacts inside Cash App, some of whom sent money. Bitcoins were purchased and sold through her Cash App account as well. Thomas shared documentation of the transactions with AARP.
Thomas then discovered that $21,916.41 had been withdrawn from her Chase checking account, a transaction she insists she didn’t make or authorize. She reached out to Chase and T-Mobile, which acknowledged in writing “unauthorized activity” on her account, and filed a police report. Citing its own research into her claim, Chase initially sent a letter to Thomas indicating that in its view, “the transaction(s) was processed correctly or was authorized” and that “no adjustment will be made to your account at this time.”
After AARP inquired to confirm her situation, a bank representative again looked into the case. A day later, the bank called Thomas and told her they would credit her account with the missing money, which Chase confirmed to AARP. The money was in Thomas' account Monday morning, she said.
SIM cards carry personal information
Thomas says she isn't sure how her phone got hacked. Some SIM cards can be removed from one phone and placed in another, so the risk of physical theft exists, though that didn't happen her case.
And not every SIM card is compatible with every device. Newer eSIM types are embedded into the device hardware, which in some instances lets you have two different lines on the same handset.
Join today and get instant access to discounts, programs, services, and the information you need to benefit every area of your life.
Either way, here’s how the scam typically unfolds, according to the Federal Communications Commission. A con artist posing as you persuades your cellular provider to issue a replacement SIM card, or to port your number over from another provider. The bad guy may claim that his current card was lost or damaged, and having already amassed personal details about you from data breaches and leaks, phishing attacks, social engineering, social media, and public records easily found on the internet, can make the bogus ploy sound convincing.
Once your SIM has been hijacked, calls, texts and other data that are supposed to go to you are diverted to the imposter’s device. This may include texts with the one-time-use multi-factor authentication code that is supposed to provide you with an extra layer of security beyond a passcode. Instead, it may unlock the door for a thief to change or access your email addresses, social media profiles, financial records and bank accounts.
'You lose complete access to your phone'
“SIM swapping is a real threat,” says Eva Velasquez, president and CEO of the San Diego-based Identity Theft Resource Center, which educates consumers on the risks of identify theft and offers free resources to help victims recover. “It is a tactic that can be used to commit identity theft, and the effects can be very damaging. You will know if your SIM has been swapped if you lose complete access to your phone.”
In a study published in early 2020, researchers at Princeton University explained how they tested the authentication mechanisms in place for legitimate SIM swaps at AT&T, T-Mobile, Tracfone, US Mobile and Verizon Wireless. They signed up for 50 prepaid accounts, 10 with each carrier, and subsequently called in to request a SIM swap on each account. Their key finding: All five carriers used insecure authentication challenges that attackers could easily subvert.
Carriers are bolstering internal processes to combat this criminal activity, according to the CTIA, a wireless industry trade group that changed its name from the Cellular Telecommunications Industry Association in 2004. That includes the ability to lock or freeze your account, working with law enforcement, and training employees to look out for the fraud.
Some carriers allow only in-store changes
In some instances, a company may restrict customer accounts so changes can only be made in the store with a government-issued ID, says Kevin Lee, who is pursuing a doctorate in computer science and is co-author of the Princeton report.
T-Mobile says its account holders must choose a 6-to-15-digit PIN, and that a customer’s phone number cannot be ported without verification of that PIN. T-Mobile also offers what it calls Account Takeover Protection, which adds additional security to accounts by blocking unauthorized users from transferring your lines to another wireless carrier. AT&T similarly lets you create a unique passcode you’ll have to provide before account changes can be made, including port requests initiated by another carrier.
Cash App, which is owned by Square Inc. and not a bank, recently unleashed an artificial intelligence-driven feature that it says flags potential spam or scams for payments in the app.
But you can take steps as a smart consumer to minimize the risk. Here’s what experts suggest.
Don't give out personal info
• Don’t reply to calls, emails or texts that request personal information. If you get such a request for account or personal information, contact the company directly on your own, using a phone number or website you know to be genuine.
• Use multi-factor authentication. As previously noted, two-factor authentication, 2FA for short, will be useless if the code to verify your identity arrives on the crook's phone and he already knows your passcode.
But “a knee-jerk reaction may be to turn off 2FA altogether, and that is actually even more dangerous,” Lee says. Enabling this extra layer of security “only adds to the username and password requirements, potentially making it tougher for attackers to hijack. At the end of the day, it’s still better than nothing.”
David Strom of the Avast digital security firm is among the experts who recommends switching your second authentication factor from SMS texting to an authenticator app such as Authy or Google Authenticator. He also points to Zenkey, a mobile app available in the Google Play Store and Apple App Store, resulting from a collaboration among AT&T, T-Mobile and Verizon. You’ll need to get the Zenkey version tied to your specific mobile provider.
Protect your phone and SIM
• Protect the physical device. That means using the facial recognition or fingerprint scanning options common in smartphones today, Velasquez says, along with a PIN.
• Protect the physical SIM. You can lock your SIM with a numerical PIN you would have to enter every time you restart a device or remove a SIM. You can create such a PIN inside the settings on your iPhone or Android device.
• Be careful what you post online. This generally means avoiding the kind of information often prompted by security questions, including birthdates, the name of your pet, your best friend’s first name and high school mascot.
• Keep your email inbox clean. Wipe out the messages that don't need to be there, including any with passcodes, PINs, Social Security numbers, and billing statements that may reveal some or all of these details if your device is ever hacked.
Share landline, not mobile number
• Don’t overshare your mobile number. AT&T recommends using your landline when sharing a number with a dry cleaner, grocery store or other businesses. Unless you have business reasons to do otherwise, don’t include your number on social media or as part of your email signature.
You also can get a free phone number to give to businesses or acquaintances that you don't want to have access to your real number, and it will ring on your phone. This “burner” number is something that can protect your privacy and is easily disposable if you want a different one later.
• Report suspicious activity. If you notice something unusual, contact your mobile provider, bank and credit card company right away, and make certain your account credentials haven’t been changed. You may want to file an identity theft report with the Federal Trade Commission.
In its letter to Thomas acknowledging that her phone had been compromised, T-Mobile offered other sound advice: Consider placing a fraud alert with any of the three major credit bureaus — Equifax, Experian or TransUnion — which signals creditors to get in touch with you before opening a new account in your name.
Edward C. Baig is a contributing writer who covers technology and other consumer topics.
He previously worked for USA Today, BusinessWeek, U.S. News & World Report and Fortune and is the author of Macs for Dummies and the coauthor of iPhone for Dummies and iPad for Dummies.