I have written the last several columns focusing on various security issues and protecting yourself and your data. I had not intended to do this column on a security issue, but an old problem has reared its ugly head and grown far fiercer; accordingly, it seemed that I needed to do one more in the series. Some of you may remember that a while back a lot of people talked about the bad guys cloning telephone numbers and stealing telephone accounts. That created some issues, mostly economic, as the numbers would appear and get lots of use for overseas calls and the like. Then the furor over that seemed to die down. I am here to tell you that the scam is not dead and still exists; but worse than that, it has grown into a direct way to steal identities.
My wife recently had her number stolen. Fortunately for her, the folks at AT&T got suspicious when it appeared in the Southeastern United States and was used for unusual calls. They contacted her and confirmed that she had not recently changed the password for access to the account and then informed her that her number had been misappropriated. AT&T was able to turn off the access to the cloned number and change the account password, and life continued. If AT&T had not become suspicious, it could have gotten much worse.
One reason is that many institutions, particularly banks, have developed a security system based on using your cell phone. The institution sends a secret code to your phone by text message, and when you repeat the code to them, they give you access to all your accounts. Without that, trying to do anything of significance with them is like pulling teeth without Novocain. Now, picture this: The bad guys steal your number, clone the phone, contact your bank, and use your phone number in the cloned phone to confirm that they are you. They get access to your accounts, open a new account, and transfer money from the old account (your account) to the new account (their account). Can you spell SCREWED?
The seriousness of the problem relates to the potential consequences for the victim and to the ease with which the bad guys can steal your number. If they can get physical access to your phone, they can read the required information from the SIM card and include it in a new SIM card that they create using inexpensive and readily available tools. Once they have done this, the new SIM card gets installed in another phone, and calls through that phone/card combination get billed to your account. But (and here’s the kicker) they do not need to have physical access to your phone. The wonders of modern electronic wizardry allow them to use readily available (albeit expensive) scanners to identify your number and steal it. One of the newest iterations of this technique, the port out scam, is an attempt to get your number without stealing it from the SIM card. In the port out scam, the bad guys try to get your number moved to a different carrier and then work from there.
If your phone gets cloned, it does not send you a notification saying that it has been cloned. Most likely you will discover it as a result of a call from your carrier asking if you have relocated or, alternatively, a bill showing unexpected charges.
What Happens Next
If your phone gets cloned, likely consequences include lots of hang-ups, wrong numbers, and problems making outgoing calls. You might experience strange phone bills with numbers that you cannot identify. You might also have problems with your voice mail. Worse yet, you may find your bank accounts invaded, your credit compromised, and your identity stolen. All in all, this does not paint a desirable picture, and you want to try to avoid it. Many security experts have concluded that they would rather have someone steal their Social Security number than their phone number.
How to Protect Your Phone
The first part of this section should sound familiar to you, as I have advised you to do this before:
1. Keep your phone physically secure and in your possession.
2. Keep your software up to date.
3. Use a secure password, which should be at least eight characters (more if possible) including alphabetical (upper and lower case), numeric, and symbolic components), and/or biometric access (fingerprint or facial image).
Here are some new ones for you to adopt:
4. Use a secondary password for access to your accounts. Most carriers will accommodate the secondary password. The major ones do. Some of the smaller providers may not. If yours does not, think about whether it makes sense to change carriers.
5. Employ two-factor identification, if your carrier affords it as an option. It adds to the hassle but helps protect your security.
6. Review your bills. Regularly check your phone bills for unusual charges. While you are at it, you should also check your bank records and credit card statements regularly for unusual transactions.
7. Get an RFID bag. More and more manufacturers have created bags and cases that provide security against radio-frequency identification (RFID) scanners reading data held inside the bags/cases/etc. Think about getting such a device and carrying your phone inside of it when you are not using it. The bags range from very inexpensive to fairly pricey depending on size and materials. I have received several free as giveaways at conferences; they appear to have become fairly popular giveaways. The least expensive I have seen on the market is $8.15 at Amazon. Amazon has a number of these devices ranging from $8.15 to $179 depending on the configuration and size of the bag (some accommodate phones, others tablets, and others computers). Some of them also function as wallets. Additionally, you can find purses and briefcases with RFID pockets. By the way, if you get one of these bags and do not have an RFID-resistant wallet, you may want to store your microchipped credit cards in them as well to protect the microchips embedded in the cards from scanning. While this approach will give you protection while the phone or other device is in the RFID bag, there are some problems with this approach. Because the bag blocks RFID signals and your devices use RFID signals to communicate, you will not receive calls while your phone is stored in an RFID case—the case will also block the phone signals. Moreover, when you take the phone out of the case to make a call, it becomes again vulnerable to scanning and will remain so as long as you have it out of the case. Accordingly, this approach offers excellent but not complete protection, but at the expense of convenience and your ability to receive calls from others. Actually, come to think about it, keeping the phone in the bag while driving may prevent accidents by reducing the number of distracted drivers on the road (note that in some locations it is already illegal to text while driving or to use a cell phone other than in a hands-free mode while driving).
So, the bottom line is that I have no perfect or almost-perfect solution to offer you. I can only advise you of the risk and encourage you to act as prudently as possible in connection with that risk. Follow basic phone safety rules (1–3 above). Put two-factor authentication and a secondary password into effect with respect to accessing your phone account, assuming your carrier offers both (4 and 5 above), and get an RFID bag and store your devices (phones, tablets, etc.) in the bag whenever possible (7 above). Limit the time your devices get exposed (become scannable). Regularly check your cell phone bills for evidence of unusual calls (6 above). If in doubt about a charge, call your provider and have them check out the situation. Remember, you cannot completely eliminate this threat; you can only reduce its impact.
Published in GPSolo magazine, Volume 36, Number 6, November/December 2019. © 2019 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association or the Solo, Small Firm and General Practice Division.