How to protect yourself from mobile ID theft

Mobile identity theft is on the rise in the United States.

How to protect yourself from mobile ID theft

The deadly pairing of identity theft and identity fraud has been around since time immemorial. Personal details are stolen by a criminal (theft) and used in illicit activity (fraud).

While this kind of social engineering strategy isn't new, an emerging form of ID theft has recently surfaced over in the States - involving your mobile phones.

First, we're going to look at a real-world "mobile ID theft" case study, before discussing what you can do to stay safe from this type of threat.

Lorrie Cranor's mobile ID theft

Lorrie CranorAn unfortunate victim of mobile ID theft was FTC Chief Technologist Lorrie Cranor, who shared her personal experience in June.

A few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones and walked out with two brand new iPhones assigned to my telephone numbers. My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft.

Cranor was making a phone call when the line suddenly went dead. After discovering that another mobile on her account also lost signal, Cranor decided to contact her service provider via landline.

The provider explained that an impersonator had visited another retailer posing as Cranor, upgrading her contract to the most expensive iPhone models on sale. At the same time, Cranor's existing SIMs (used in her Android phones) were deactivated.

Cranor discovered that the criminal (who has not yet been apprehended) used a fake ID - with Cranor's name and their photo. While the provider agreed to rectify the situation, they blamed Cranor for the entire debacle (rather than the retailer's lack of authentication procedure).

How you can stay safe

1,038 incidents of this type were reported to the FTC in January 2013. By January 2016, that number had increased to 2,658 such incidents, involving customers from all four of the major US mobile carriers.

Just as in the case of reporting cybercrime, it's apparent that gathering evidence against a criminal is so much harder for the authorities if they don't know about any victims. According to data from the 2014 National Crime Victimization Survey (conducted by the U.S. Department of Justice), less than 1% of identity theft victims reported the theft to the FTC.

This isn't just a problem in the US, though. Cranor's blogpost mentioned the nefarious world of "SIM swap" scams (also known as SIM splitting), heavily prevalent in Europe.

In these, malicious actors use victims' publicly available data to socially engineer new SIM packages from their carriers. One such location of this open-source intelligence is Facebook, so consider having another look at your privacy settings.

Victims have also reported receiving phony calls from a criminal impersonating their mobile carrier (a vishing-style attack). In extreme cases, criminals have set repossession agencies on accounts fraudulently created in the name of innocent victims.

Actionable steps

During the situation with her carrier, Cranor took several steps to ensure she remained in control of her identity. If you become affected by mobile ID theft, I'd strongly recommend taking action on each of these points immediately:

  • Log in to your carrier account and change the password
  • Add an extra security PIN (more on this below)
  • Visit the FTC's identitytheft.gov site to report the incident.
  • Place a fraud alert and obtain a free credit report
  • Prepare an ID theft complaint affidavit to be supplied with a police report.

The UK's ActionFraud also offer a collection of useful tips for general identity theft protection, including these below:

  • Don't throw out anything with your name, address or financial details (all forms of PII) without shredding it first.
  • If you receive an unsolicited email or phone call from what appears to be your bank or carrier asking for your security details, never reveal your full password, login details or account numbers.
  • If you are concerned about the source of a call, wait five minutes and call your bank from a different telephone making sure there is a dialling tone.
  • Check your statements and paperwork carefully and report anything suspicious to the bank o service provider concerned.
  • Don't leave things like bills or contracts lying around for others to look at.

PINs, passwords and extra security

Cranor asked the major US carriers what consumers could do to protect themselves from this kind of fraud. Setting up a PIN is crucial step in reducing your risk, as this will be required before making changes to your mobile account.

CarrierSteps you can take
AT&TAT&T customers can enable "Extra Security" from their online account or the myAT&T mobile app.
SprintSprint customers are required to set up a PIN and security questions when setting up an account. This protection is already active.
T‑MobileT-Mobile customers can set up a "Customer Care Password" by calling Customer Service or visiting a retail store.
VerizonVerizon customers can create an "Account PIN" by calling Customer Service, logging in to their online account or visiting a retail store.

I'm not aware of any carriers utilising this kind of procedure here in the UK. If you know of any, feel free to reach out and drop a comment below.

To close, I completely agree with the closing points in Cranor's blog post - that "mobile carriers are in a better position than their customers" to prevent mobile identity theft and associated fraud. The onus must be placed on carriers and independent retailers to test and strengthen their authentication procedures.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

3 Responses

  1. CounterHack

    August 15, 2016 at 1:14 pm #

    EE customer support in the UK ask for characters from a pre-agreed password. I can confirm this because I had a call with them today.

  2. Matthew Parkes

    August 15, 2016 at 2:32 pm #

    o2 in the UK ask a series of questions based on details you provide to them when you purchase a contract or phone in store, on line or over the phone and ask for characters from your security question answer whenever you call or use live chat. The only problem is when they ask for it they ask you for your password which most people will believe it to be their on line account password, which it isn't they are referring to the answer to your security question which has confused me in the past and lead to them refusing to help on one occasion so beware this if you are on o2.

  3. David

    August 15, 2016 at 3:06 pm #

    The "Steps You Can Take" for Verizon appear to be a copy and paste from T-mobile. Can you list what steps can be taken, please?

Leave a Reply