Gregg Bennett is an entrepreneur in Bellevue, Wash., and he knows a bit about tech. So when his smart phone started acting funny one day last April, he got a bad feeling.
"I was having trouble getting into my email account. And all of a sudden my phone went dead," he says. "I look at my phone and there's no signal. And I go, 'Oh no, something's happened here.'"
It was a SIM-swap — a "social engineering" trick fraudsters use to take control of somebody else's phone number. There are a couple of ways to do this. Sometimes they'll fool the phone company into believing they're the number's rightful owner, who lost the phone and needs to transfer service to a new device. And sometimes it's an inside job, with phone company staffers helping to make the switch, as alleged by federal prosecutors in a case this spring.
Once scammers control your number, they can get your text messages — including the verification codes many online services send when customers reset their passwords.
These are different from verification codes generated by two-factor apps or hardware keys, which are more secure because they don't depend on a phone number. But companies often use the text-message version because it's simple to use.
Bennett says the scammers used text-message verification codes to get into his email accounts, and from there it was open season.
"They got into my Amazon account, my Evernote account, my Starbucks account — they were kind of messing with me," he says, with a rueful laugh.
The big prize was his Bitcoin account. It's not clear exactly how they used his phone number to log in, but once they did, he says they stole 100 Bitcoin. At the time that was the equivalent of about half a million dollars, gone in minutes.
And that's what's new here. SIM-swapping has been around for years, but there's never been so much at stake.
"Phone numbers have suddenly become valuable," says Allison Nixon, director of security research at Flashpoint, a company that tracks cyber crime. She says phone numbers have become an irresistible target for scammers because so many companies now use the numbers to help confirm customers' identities.
"Financials, health care, social media, email — all of these different companies, by policy, require a phone number from you. And that's what creates the vulnerability," Nixon says.
Here's what you can do to protect yourself from a SIM card swap attack:
- Don't reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
- Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and log in to your accounts.
- Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider's website for information on how to do this.
- Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use MFA, keep in mind that text message verification may not stop a SIM card swap. If you're concerned about SIM card swapping, use an authentication app or a security key.
Source: The Federal Trade Commission
As scams go, SIM-swapping is labor-intensive. Thieves research their victims, looking for rich targets... such as the crypto-currency investor in California who says he lost $24 Million dollars to SIM-swappers last year. He's now suing AT&T over the loss.
But Nixon says SIM-swapper are broadening their aim.
"Eventually you're going to run out of rich people, right? And you've got to start targeting middle-class people, upper-middle class people," Nixon says. "I know people that have been SIM-swapped that have no clear indication as to why, aside from the fact that they get paid and they have a retirement account."
Experts have floated various ideas for improving security — for instance, carriers might require that any phone number transfers happen in person, at a store; carriers could also build a 24-hour waiting period into any number transfer.
Sen. Ron Wyden, D-Oregon, has been looking at what the phone companies could do. He won't get into details about behind-the-scenes discussions, but he's not optimistic.
"The industry is not exactly exerting itself in order to better protect consumers from these SIM-swap scams," he says.
The wireless companies refer questions about SIM-swapping to their industry association, the CTIA — but the association wouldn't do an interview with NPR. It pointed instead to a blog post with tips for avoiding sim-swaps.
Allison Nixon says phone companies have made progress in recent months, closing technical vulnerabilities that have been exploited by SIM-swappers. But she says the human element — gullible or corruptible staffers — remains a problem.
Still, she says she can understand why phone companies might be hesitant to erect higher security barriers for number-transfers.
"It would make the purchase process for the average legitimate customer a little more difficult, a little bit slower, and multiply that by however many millions of sales they make, it probably adds up to a decent amount of money," she says.
Another solution might be to try to wean Americans from their reliance on phones numbers for authentication. Federal regulators have noted the vulnerabilities of text-message codes, compared to more secure methods such as two-factor authentication apps. But the wireless industry is pushing back. In a letter to the FTC in August, the industry defended text-message two-factor as, quote, "easily accessible and trusted."
But they're no longer trusted by Gregg Bennett.
"People who are using phones as their only source of two-factor identification are inviting identity theft," Bennett warns.
He now uses authentication apps, such as Google Authenticator, or a hardware key. When companies force him to use text-message codes, he uses a second phone number, which he takes care not to share in places where scammers might find it.
He's currently in arbitration with AT&T, which wouldn't talk about his case to NPR. He says the company is stonewalling on details of how he got SIM-swapped, but he suspects he was victimized by somebody on the East Coast.
"When I finally recovered my phone," he says, "I got a text message asking how my service was at the AT&T store in Boston."