A Warning About Cell Carriers Lack of Security And What It Means To You
All of the cell phone carriers such as Verizon, AT&T, Sprint and T-Mobile are in the business of selling you stuff. Sometimes stuff you don’t want or need, but still stuff they would like to sell to you.
As a result, when decent security gets in the way of them being able to separate you from your money, the sales opportunity wins.
Brian Krebs’ story (see link at the end) is very dramatic and the worst case scenario that anyone could imagine.
In February of this year, 84 year old James Schwartz was caring for his wife, who had end stage cancer when he had a heart attack. When his wife tried to use her cell phone to call for help, she found out that it had been shut off and she could not call for help. After 40 minutes of struggling, she was able to get to her husband’s phone and call for help, but by that time, he had passed away. She died 17 days later.
What is unclear is that a call to 911 should have gone through anyway, so there is at least one bit of missing info. Perhaps she was trying to call a friend or family member.
As I said, this is a very dramatic situation which happens very rarely, but the underlying issue is what is important to you and me.
A scammer had gone into a premium authorized Verizon store (that would be a store that has the Verizon logo on it, but is not actually owned or run by Verizon) and pretended to be James’ wife and bought a shiny new iPhone, which he scammer put on James’ account. When the phone number was transferred, James’ wife’s phone went dead.
After the two of them were deceased the scammer went back into the store and bought a tablet the same way.
The FTC said that over 2,600 people REPORTED similar scams in January 2016 alone, including Lorrie Cranor, chief technologist for the Federal Trade Commission.
Using a little known provision of the Fair Credit Reporting Act, she demanded in writing the the carrier provide her information about the transaction. While the FCRA requires that they provide this information in 30 days, it actually took her carrier 60 days.
In both of these cases, the people who’s accounts were hacked lost cell phone service and then had to convince the carrier that they did not buy new phones.
While in concept this is similar to credit card fraud, the process is more complex because federal law does not protect you in the same way. For credit card transactions, if you report the fraud within 60 days, you get your money back, period. In the case of Sprint or one of the other carriers, you have to convince them that you are the victim of identity theft and fraud. It is completely up to the carrier as to how they handle that. While you can certainly sue them, even in small claims court (where you are almost certain to win because they won’t show up), it is a time consuming process.
One thing to consider is that we now use our cell phones for two factor authentication and even account password recovery and if an identity thief gets a new phone tied to your phone number, they have that data too.
So, what can you do? Brian has a graphic in his blog post, but the short version is that every carrier has either the option or a requirement for you to set up a PIN on your account. The PIN, in theory, should be required in order for you to add lines, change lines and do other account related things.
In reality, the sales reps in stores work on commission (or a quota) so they are not going to push too hard and will try real hard to sell you that new phone or tablet – even if that means bending the security rules.
AT&T just sent out an email that said even if you don’t know your PIN you can still spend money in their retail stores using their forgotten password feature. This means that they will identify you some other way – maybe asking you for the last 4 of your Social or something else really secret. Remember, their goal is to sell you stuff, as I said earlier, and security just gets in the way of that.
Still, I recommend adding the password or PIN and don’t make it 1234 please. Pick something longer and harder to guess. While it is not perfect it is better than not having it.
The time required to clean up the mess is significant. You are going to have to go to the carrier’s store – this is not something that they will deal with over the phone or online. You will have to get a new SIM card for your phone and deal with the charges on your bill. In the case of Lorrie Cranor, the thief bought cell phone insurance too and she had to cancel that. In the case of the Schwartz’s whoever was the executor of the estate had to clean up the mess.
In Lorrie’s case, she had two phones, they programmed one of the replacement phones incorrectly which required yet another trip to the store and they screwed up the voice mail on the other. Then she had to fill our identity theft reports. Lastly, if all the scammer wanted to do is sell the phones on the black market, then you are in better shape than if they wanted to impersonate you. In the latter case, you would need to figure out what they did while they were in possession of your phone number. In one case, they used the phone to make payments from the phone owner’s bank account, which the owner had to clean up.
Suffice it to say, it is a frequent occurrence, with somewhat limited protections under federal law and which will consume a significant amount of your time to clean up. While the PIN/Password is not perfect, it is better than nothing.
And, if your cell phone goes dead, at least you have some ideas about questions to ask.
Information for this post came from Brian Krebs.
[TAG:TIP]