Telecommunications // Washington, DC, United States
Here’s what happened to the Federal Trade Commission's lead techie, who is on leave from Carnegie Mellon University's comp sci department: A woman walked into a retail carrier store in Ohio, identified herself as Lorrie Cranor, and bought two Apple iPhones on an installment plan. She billed them to Cranor’s account and walked away.
“The thief would have needed to know my name, my mobile phone number, and make a fake ID,” according to Cranor. “It’s possible that the store could have asked for the last four digits of my SSN, but even that is not that hard for an identity thief to come by.”
The ID thief used an increasingly common trick called phone account hijacking. It is endemic to all the major carriers, which is partly why Cranor declined to name her carrier.
"What makes account hijacking so insidious is it can happen even if the victim is scrupulous about protecting personal data. Much of the information needed for this hack is available on reverse-lookup sites that link phone numbers with names," according to Wired. "That’s why even someone as informed as Cranor could be compromised."
The four major U.S. carriers—AT&T, Sprint, Verizon, and T-Mobile—let customers protect their account with a PIN or password that must be entered before altering the account. But Cranor had not enabled hers.
“Before I realized what was going on, my phone said ‘emergency calls only,’ and I thought it was bad coverage,” Cranor says. “If you see that, it’s probably not bad coverage. There’s probably something else going on.”