At the end of May, I was traveling abroad when I got a text message from T-Mobile, my cell phone provider.
While this seemed like a routine support message, I actually didn't call T-Mobile. In fact, I had just landed and was on my way to the hotel. So I didn’t pay too much attention to the text, thinking it was a mistake.
I checked into my hotel, went to eat a delicious pizza, and only then I realized I didn’t have service on my phone. As I write about sketchy people doing bad things on the internet, my first thought was: someone is trying to mess with my cell phone account.
Over the last couple of years, I’ve written extensively about an increasingly common fraud called SIM hijacking, SIM swapping, or port out scam. Hackers use this technique to steal precious social media accounts, as well as break into and empty cryptocurrency wallets with millions of dollars inside. When criminals hijack your phone number you usually get a text message alerting you of some change on your account.
I wondered if it was happening to me.
Have a tip about a data breach or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
As soon as I got on a Wi-Fi network, I called T-Mobile. A representative told me that someone had reported my phone stolen, and asked my line to be suspended, which is why I didn’t have service.
“This is very alarming,” the representative said, after I explained that I was on vacation and my phone was, indeed, not stolen. In fact, I was holding it at that very moment.
After she asked to verify my phone’s International Mobile Equipment Identity number, or IMEI, the representative restored service on my phone. She also promised to file a form reporting a fraud attempt, and to follow up in around a week to tell me what happened.
She never called back. So this week I decided to follow up with T-Mobile. After more than an hour on the phone with two different representatives, I learned that on that day in May, someone went to a store in New Jersey and somehow convinced the employees that they were me, and got them to not only suspend the line, but to also change the address on my account to that of a house in Massachusetts (where I’ve never been nor lived), change the name displayed as my caller ID to “Doctor Avila,” and put a different number as a contact phone.
“Unfortunately I can’t give you the number that it was changed to, and that's for security purposes. We don't want you calling that person and ultimately someone be harmed or anything like that,” the representative said.
That makes sense, I thought, but I asked how it was possible that a stranger got a T-Mobile employee to change information on my account, apparently without providing any verification. T-Mobile, like other providers, now encourages customers to set up a passcode or PIN that’s used to verify customers when they call in or go to a store.
To my surprise, the representative said that it’s T-Mobile policy not to disclose information regarding incidents like this—not even to the victims.
The representative even read aloud part of a memo on my account: “The team reviewing the report will take appropriate action based on their findings. The results of the investigation will not be discussed with the customer or notated in the account. Do not promise or offer a call back by the team completing the investigation, even if the customer requests it.”
Another representative told me that the employee who authorized the changes was “terminated.” But other than that, I was not supposed to know anything else about what really happened.
A T-Mobile press representative did not respond to a request for comment.
Ultimately, I got lucky. Whoever walked into that New Jersey store did not appear to want to hijack my number, they maybe just wanted to prove a point, or send a message. So this was a nuisance more than anything else. But it still shows T-Mobile needs to do more to protect customers’ accounts.
“The weakest element here is the fact that the PIN [or passcode] is confirmed by people, not by a system unlock,” Jonathan Haas, a security researcher who studied SIM hijackings for a major social media company, said. “I think having a more robust identity structure would remove these concerns. Having a singular item that’s verified against doesn’t cut it.”
In other words, the mitigation strategy T-Mobile has taken against SIM swapping has the same weakness that it always had: humans.
Subscribe to our new cybersecurity podcast, CYBER.