Criminals using common security feature to access your bank accounts

  • Oops!
    Something went wrong.
    Please try again later.

Phone theft is on the rise across the country. But crooks aren’t stealing your smartphone, just all the data on it.

It’s called “SIM swapping” and once it’s done, your bank accounts will likely be empty.

Consumer adviser Clark Howard sat down with a cyber security expert who explained that this type of theft is sometimes an inside job.

Phone carrier employees sell customers’ data on the dark web. Howard learned there are ways to protect yourself.

Two-factor authentication is a common security feature to protect your information. Codes are sent to our phones to access our bank accounts, credit cards, and retirement funds to confirm you are logging into an account and not a thief.

Now criminals are exploiting this security feature to rob you blind.

“What that is, is where an attacker, through a couple of different ways, get control of your phone number. And they do that normally through calling the provider, switching out phones, and taking over your number,” former FBI analyst Willis McDonald said.

McDonald specializes in cyber threats.

McDonald told Howard many times criminals work with an employee at the phone company.

Often thieves watch your habits and plan a SIM swap attack when you’re at work or on vacation.

“One trusted person who might even be a contractor for a cell phone carrier can exploit this vulnerability to take your service away from you. And you don’t even know till you wake up the next day,” Howard said.

“That’s exactly how this works,” McDonald said.

McDonald said criminal markets offer SIM swapping services that range anywhere from $900 to $10,000, depending on whose SIM you’re swapping.

“Somebody like Clark Howard, probably closer to the $10,000 mark. Everyday citizens, maybe $900,” McDonald said.

He showed Howard examples of personal information for sale online.

Howard said there are three steps you can take to protect yourself.

First, call your provider and ask for enhanced security features to be added to your account such as asking for more info before making the swap.

Second, get a hardware key or token. McDonald said hardware tokens like YubiKey, or Google Titan keys allow you to use a piece of hardware to actually log into your account rather than passwords or text.

Third, if your provider won’t let you use a hardware key, both Howard and McDonald suggest a rolling code authenticator, like Microsoft or Google authenticator, is the next best thing.

Verizon shared this link advising their customers to stay protected from sim swaps.

T-Mobile statement:

“SIM swaps are an industry-wide problem that all wireless providers are working to fight. T-Mobile invests heavily in measures designed to keep customers safe from SIM swaps and other fraudulent activities, including Account Takeover Protection, number transfer PINs, two-step verification, free scam protection with Scam Shield, SIM Protection, a security dashboard and more. Customers can take other steps to protect their online accounts, such as using unique and strong passwords, resetting pins and passwords frequently and being cautious with unexpected calls and texts. We’ve got some additional information outlined here. More information about SIM swaps can be found on the CTIA website here, including tips on how to protect yourself.”

Download the FREE WPXI News app for breaking news alerts.

Follow Channel 11 News on Facebook and Twitter. | Watch WPXI NOW