How Hijacked Cellphone Numbers Can Be Security Risks
DAVID GREENE, HOST:
All right. Think of all the ways your cellphone has become your electronic ID card. The bank knows you by your phone number. Secure websites send key codes by text message. But phone numbers can be hijacked, and a recent wave of phone-based identity theft raises concerns that wireless carriers are just not doing enough to protect customers. NPR's Martin Kaste reports.
MARTIN KASTE, BYLINE: Greg Bennett (ph) had already heard of people's phones getting hijacked. He's an entrepreneur in Bellevue, Wash., and he knows a thing or two about tech. So he's a little embarrassed when he remembers the day in April when it happened to him.
GREG BENNETT: (Laughter) Well, I'm sitting here with my son and I was having trouble getting into my email account. And then all of a sudden, my phone went dead. And I'm looking at my phone, and there's no signal. And I go, oh, no, something's happened here.
KASTE: It was a SIM swap. That's when scammers get your phone company to switch your number to their phone. Sometimes the scammers fool the phone company into thinking they're you. Sometimes a phone company staffer is in on the scam. Once they have your number, they can get your text messages, including password reset confirmation codes. Bennett says that's how they got into his email accounts, and from there, it was open season.
BENNETT: Oh, they got into my Amazon account, my Evernote account, my Starbucks account. They were kind of messing with me (laughter).
KASTE: But the big prize was his bitcoin account. It's not clear exactly how they used his phone number to get in there, but once they were, he says they stole about half a million dollars' worth.
BENNETT: A hundred bitcoin all in a matter of minutes.
KASTE: And that's what's new here. SIM swapping has been around for a while, but now there's just so much more at stake.
ALLISON NIXON: The reason why SIM swapping is such a problem is because phone numbers have suddenly become valuable.
KASTE: Allison Nixon is director of security research at Flashpoint, a company that tracks cybercrime. She says cell numbers have become an irresistible target for scammers because so many companies now force us to use our phone numbers as a form of ID.
NIXON: Financial, health care, social media, email - all of these different companies, by policy, they require a phone number from you. And that's what creates the vulnerability.
KASTE: As scams go, SIM swapping is labor intensive. Thieves have to research their victims first, and they look for rich targets, like the cryptocurrency investor in California who says he lost $24 million to SIM swappers last year. But Nixon says the scammers are also starting to aim lower.
NIXON: Eventually, you're going to run out of rich people - right? - and you've got to start targeting middle-class people, upper-middle-class people. I know people that have been SIM swapped that have no clear indication as to why aside from the fact that they get paid, and they have a retirement account.
KASTE: Experts have suggested various ideas for improving security. For instance, carriers could require that phone number transfers always happen in person at a store. Senator Ron Wyden, Democrat from Oregon, has been looking at what the carriers could do. He won't get into details about behind-the-scenes discussions, but he's not optimistic.
RON WYDEN: The industry is not exactly exerting itself in order to better protect the consumer from these SIM swap scams.
KASTE: The wireless companies refer questions about SIM swapping to their industry association, the CTIA, but it also would not do an interview with NPR. It pointed, instead, to a blog post with tips for avoiding SIM swaps. For instance, they say you should keep your personal details off social media so you're harder to impersonate. Critics counter that it should be on the industry to keep these phone numbers safe. Though, Allison Nixon says she can understand why the phone companies might be reluctant to erect higher security barriers to SIM swaps.
NIXON: It would make the purchase process for the average legitimate customer a little bit more difficult, a little bit slower, and multiply that by however many millions of sales that they make, it probably adds up to a decent amount of money.
KASTE: Another solution might just be to wean Americans from using their phone numbers for authentication. Federal regulators have noted the vulnerabilities of text message codes compared to more secure two-factor methods like apps. But the wireless industry is pushing back on that. In a letter to the FTC in August, the industry defended text messages as, quote, "easily accessible and trusted." But they're not trusted anymore by Greg Bennett back in Washington state.
BENNETT: People who are using phones as their only source of two-factor authentication are kind of inviting identity theft.
KASTE: He now does two-factor authentication with apps or a hardware key. When he's forced to use text message codes, he uses a second phone number, which he keeps secret. He's in arbitration with AT&T, which wouldn't talk to NPR about his case. And he says the company is stonewalling on the details of just how he got SIM swapped. But he suspects that he was victimized by somebody on the East Coast. How does he know?
BENNETT: When I finally recovered my phone, I got a text message asking how my service was at the AT&T store in Boston (laughter).
KASTE: Martin Kaste, NPR News, Seattle.
(SOUNDBITE OF SINJIN HAWKE AND ZORA JONES' "SOURCE OF CONFLICT")
GREENE: Now, for tips on protecting yourself from SIM swaps, take a look at the web version of this story at npr.org. Transcript provided by NPR, Copyright NPR.