High-tech crooks have figured out a way to get around two-factor authentication and access some customers’ bank, email and cell phone accounts.
Two-factor authentication is the process where your bank, email provider or other business texts you a one-time code that must be entered to get access to your account after you enter your password. Without the code, a user cannot log into an account.
Businessman Robert Ross says crooks got his cell phone company to change his SIM card without his knowledge so calls, texts and two-factor authentication messages no longer went to his cell phone, but instead to one the hacker had in his possession. A SIM card is the little chip in most phones that tells a cellular company which handset should receive a call or text.
“Hackers stole $1 million from me,” Robert Ross said.
A 21-year-old man was later arrested.
Ross says $500,000 was stolen first and then $500,000 again later.
"What the hackers did is they called up AT&T and they impersonated me, and they said, ‘Hi my name is Rob Ross and I got a new phone with a new SIM card. And could you please change the SIM card number in my account,’” Ross said.
AT&T would not confirm or deny the specifics of Ross situation.
The hacker never touched Ross’ cell phone, he says but was able to route all his calls and texts to the hacker's phone. This included two-factor authentication texts needed to get into Ross’ bank accounts and Gmail account.
"I look up from my phone, to my laptop and I saw that in real time, my Gmail was going from being logged in to logged out and then I looked back down at my phone. I clicked through the lock screen and I saw that I had no service," he said.
He says preventing messages from reaching his Gmail might have delayed him finding out that money has been moved from his account.
Metropolitan State University of Denver professor Steve Beaty, who is a cybersecurity and information technology expert, says sometimes crooks can get into a customer’s cell phone account by knowing the answers to security questions.
"What's your mother's maiden name? What is your pet's name? The problem is, all of those can be found out very easily through breaches and through social media," Beaty said.
Beaty says the growing number of breaches shouldn't deter you from using two-factor authentication for your Gmail and bank accounts. He says, instead make it harder for people to impersonate you.
"I recommend lying about your secret security questions so that you’re not using your mother's maiden name, not your pet name, not your favorite car. I can figure out all of those things about you on Facebook and Twitter," Beaty said.
The suspect who police say broke into Robert's accounts has been caught. He's from New York City and faces 21 charges.
In Ross’ case, his money was stored in a virtual currency.
He doesn’t expect to get his money back.
AT&T sent the following statement:
“We continually look for ways to enhance our policies and safeguards to protect against these sorts of scams. When our customers are victims of identity theft, we strive to reverse activity related to their account with us and restore service as quickly as possible.”
AT&T has a web page with news and information about SIM swaps here: https://about.att.com/sites/cyberaware/ni/blog/sim_swap.html