Criminals use common security feature to access bank accounts

JACKSONVILLE, Fla. — Phone theft is on the rise across the county. But crooks are stealing your smartphone, just all the data on it. It’s called sim swapping and once it’s done your bank accounts will likely be empty.


Consumer adviser Clark Howard sat down with a cyber security expert who explained that this type of theft is sometimes an inside job. Phone carrier employees sell customers’ data on the dark web. Clark learned there are ways to protect yourself.

[DOWNLOAD: Free Action News Jax app for alerts as news breaks]

Two-factor authentication is a common security feature to protect your information. Codes sent to our phones to access our bank accounts, credit cards and retirement funds to confirm you are logging into an account, and not a thief. Now criminals are exploiting this security feature to rob you blind. It’s called sim swapping.

“What that is, is where an attacker, through a couple of different ways, gets control of your phone number. And they do that normally through calling the provider, switching out phones and taking over your number,” former FBI analyst Willis McDonald xplained. McDonald specializes in cyber threats.

McDonald told Howard many times criminals work with an employee at the phone company. Often thieves watch your habits and plan a sim swap attack when you’re at work or on vacation.

“One trusted person who might even be a contractor for a cell phone carrier can exploit this vulnerability to take your service away from you. And you don’t even know till you wake up the next day,” Howard said.

Related Story: ‘They cleared my whole bank account:’ Jax woman scammed, experts now warning others about spam texts

“That’s exactly how this works,” McDonald said.

McDonald said criminal markets offer sim swapping services that range anywhere from $900 to $10,000 depending on whose sim you’re swapping.

“Somebody like Clark Howard probably closer to the $10,000 mark. Everyday citizens, maybe $900,” McDonald said. He showed Howard examples of personal information for sale online.

Howard said there are three steps you can take to protect yourself. First, call your provider and ask for enhanced security features to be added to your account such as asking for more info before making the swap. Second, get a hardware key or token. McDonald said hardware tokens like YubiKey, or Google Titan keys allow you to use a piece of hardware to actually log into your account rather than passwords or text. Third, if your provider won’t let you use a hardware key, both Howard and McDonald suggest a rolling code authenticator like Microsoft or Google authenticator is the next best thing.

[SIGN UP: Action News Jax Daily Headlines Newsletter]

Verizon shared this link advising their customers to stay protected from sim swaps.

T-Mobile statement:

“SIM swaps are an industry-wide problem that all wireless providers are working to fight. T-Mobile invests heavily in measures designed to keep customers safe from SIM swaps and other fraudulent activities, including Account Takeover Protection, number transfer PINs, two-step verification, free scam protection with Scam Shield, SIM Protection, a security dashboard and more. Customers can take other steps to protect their online accounts, such as using unique and strong passwords, resetting pins and passwords frequently and being cautious with unexpected calls and texts. We’ve got some additional information outlined here. More information about SIM swaps can be found on the CTIA website here, including tips on how to protect yourself.