Cyberthieves Train Their Sights on US Mobile Phone Customers

Cyberthieves Train Their Sights on US Mobile Phone Customers 620 330 C-Suite Network


A relatively new form of cybercrime recently has been plaguing American consumers. Thieves have been hijacking mobile phone account numbers and then transferring services to a different device, The New York Times reported last week.

Further, hackers have begun using mobile numbers to raid digital wallets and similar accounts, according to the paper.

This type of theft has been successful even against the most sophisticated of consumers. Accounts belonging to the chief technologist of the Federal Trade Commission, Lorrie Cranor, are among those that reportedly have been breached.

A simple identity theft scam targeted two of her phones, Cranor wrote in an online post earlier this year, resulting in her eventually losing control of her devices and her account information, not to mention the intrusion into her personal life and loss of privacy.

Identity thieves simply walked into a store, claimed to be her, and asked for a mobile phone upgrade. They walked out with two new iPhones assigned to her number. The SIM cards on her account were deactivated.

The FTC declined to comment on whether it was pursuing an investigation related to the incident.

Cyberthefts involving a mobile phone account hijacking or opening of a new mobile account in a victim’s name have jumped from 1,038 reported to the FTC in January of 2013, or 3.2 of all identity thefts reported to the commission in that month, to 2,638 in January 2016, or 6.3 percent.

Because only about 1 percent of identity thefts are reported to the FTC, regulators have only a small slice of examples to evaluate when trying to get ahead of data scams.

Vulnerable Systems

The incidents that have been reported showcase a vulnerability in today’s security protocols, said Mark Nunnikhoven, senior vice president for cloud research at Trend Micro.

A lot of multifactor identifications systems use text messages as a tool to verify identity, because the goal of many attacks is to take control over the phone number and not the physical handset, he told the E-Commerce Times.

“These attacks use social engineering techniques to abuse a mobile phone provider’s business processes,” Nunnikhoven said. “The attacker calls up the mobile phone provider and uses just enough information about you, plus a few social engineering techniques, to get the provider to transfer the…