WASHINGTON (AP) — On a Monday morning in May, I woke up and reached for my cell phone to read the news and scroll through memes. But there was no cell service. I couldn’t make calls or send text messages.
But that turned out to be the least of my worries.
Using my home Wi-Fi connection, I checked my email and discovered a notification that $20,000 was being transferred from my credit card to an unknown Discover Bank account.
I foiled this transfer and reported the cell phone issues, but my nightmare was just beginning. A few days later, someone managed to transfer $19,000 from my credit card to the same strange bank account.
I was a victim of a type of fraud known as outbound port hijacking, also known as SIM swapping. This is a less common form of identity theft. New federal regulations to prevent outbound port hijacking are under consideration, but it’s unclear how effective they will be in stopping this crime.
Port-out hijacking goes far beyond hacking a store, bank, or credit card account. In this case, thieves take over your phone number. Any calls or text messages go to them, not you.
When your own phone access is lost to a criminal, the steps you’ve taken to protect your accounts, like two-factor authentication, can be used against you. It’s no use for a bank to send a text message to verify a transaction when the phone receiving the text message is in the hands of the person trying to hack your account.
Even if you’re a relatively tech-savvy person who follows all the recommendations on how to protect your technology and identity, it can still happen to you.
Experts say these scams will only increase and become more sophisticated, and data shows they are on the rise.
I’m not a tech-savvy person, but I am a law school-educated journalist specializing in financial reporting. Because of the very online nature of my job, I’ve been taught all the ways to stay safe online: constantly changing my passwords with multi-factor authentication, logging out of apps I don’t use regularly, and keeping my personal information off the internet.
Still, I was vulnerable to criminals. It took me a lot of time and legwork to get my money and phone number back.
The FBI Cybercrime Complaint Center reports that SIM swapping complaints increased by more than 400% between 2018 and 2021, receiving 1,611 SIM swapping complaints with personal losses of more than $68 million.
Complaints filed with the FCC about the crime have doubled, from 275 complaints in 2020 to 550 reports in 2023.
Rachel Tobac, CEO of SocialProof Security, an online security company, says the crime rate is likely much higher since most identity theft goes unreported.
She also claims that two-factor authentication is an outdated method of ensuring consumer security because anyone’s phone number, date of birth, and Social Security number can be found through any number of public or private databases on the web.
The ability of thieves to obtain your personal information was demonstrated again Friday, when AT&T said that nearly all of its customers’ data was uploaded to a third-party platform in a security breach two years ago. While AT&T says no personal information was exposed, cybersecurity experts have warned that breaches involving phone companies leave customers vulnerable to SIM swaps.
Now, changing your phone number is easy and can be done online or over the phone. The process takes less than a few hours, provided a criminal has your personal information at hand.
While consumers should exercise discretion in choosing different passwords and protections, they must “put pressure on companies that are in the business of protecting our data,” Tobac said.
“We need them to update consumer protection protocols,” she said, because two-factor authentication is not enough.
FCC rules recently changed to force companies to do more to protect consumers from these types of scams.
In 2023, the FCC introduced regulations that require wireless carriers to “adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or carrier,” among other new rules. Companies could require more information when a customer attempts to port a phone number to another phone, by requiring government identification, voice verification, or additional security questions.
The rules were supposed to take effect July 8, but on July 5 the FCC granted the phone companies a waiver that delays implementation until the White House Office of Management conducts a further review.
The wireless industry had requested the delay, citing among other reasons that companies needed more time to comply. The CTIA, which lobbies on behalf of the companies, said the new rules would require major changes in technology and procedures, both within wireless companies and in their interactions with phone makers.
But if the FCC rules had been in effect, my phone number might have been harder to steal, experts say.
Amy Schmitz, a professor at Ohio State University, says the FCC’s new rules make it easier for consumers to protect themselves, but it still depends on consumer action and awareness.
“I still wonder whether consumers will be aware of this and take steps to protect themselves,” she said.
It took me ten days to get my number back from Cricket Wireless, until I told the company representatives that I was writing an article about my experience.
During this time, the scammer was able to access my bank account three times and eventually managed to transfer $19,000 from my credit card, even though I deleted my bank account number, froze my credit, changed all my passwords, among other measures.
Bank of America tried to reverse the $19,000 transfer after I visited a branch near the AP’s Washington bureau.
Cricket apologized for the mistake and said in an email that its “goal is to provide a much better customer experience.”
“Fraudulent data transfers are a form of theft committed by sophisticated criminals,” reads a statement from the company emailed to me. “We have measures in place to combat them and are working closely with law enforcement, our industry and consumers to help prevent this type of crime.”
An AT&T representative told me in an email that “all carriers are working to implement the FCC’s new rules on outbound porting and SIM swaps.”
I still don’t know how this person gained access to my accounts, whether it was through my social security number, my phone number, my date of birth, or possibly a recording of my voice.
It was a harsh lesson in how vulnerable we are when we lose control of our personal information that is so widely available to the public.