CLEVELAND — It used to be that your social security number was the most important number to protect. Now, it could be the number for your cell.
Thieves have found a pretty easy way to take over your smartphone, letting them confiscate your email, even clear out your bank accounts. And even the most tech-savvy are becoming victims, like Tony Pietrocola.
"It was a zombie phone. It was on, I could see all my stuff. But I couldn't make a call, couldn't text, couldn't go to the internet," he told us.
Pietrocola is the President of AgileBlue, a cybersecurity firm. And he, of all people, could have lost everything had he not been protected.
“I have all my accounts locked down with MFA (multi-factor authentication) and everything, so they weren't able to get anything. It was just a hassle,” he explained. “But I will say this, if that happened to the average person who doesn't have everything locked down, they (the thieves) probably are in all kinds of bank accounts and credit accounts and all kinds of things.”
He was the target of something called SIM Swapping. It refers to that tiny card that's in all smartphones, which can cause huge damage. That’s because it holds all of your information. And anyone can buy a card online.
Paul Sems, Managing Director of TrustedSec, another cybersecurity firm says, "What we're seeing is threat actors come in. They're calling up the phone company and they're claiming to be you and saying, ‘Hey, I lost my SIM,' and they get a new SIM issued or they do a SIM transfer.”
When that happens, thieves can have everything on "your" phone transferred to "their" phone. They can then intercept your calls and texts, including the verification codes many companies send to let you access your online accounts.
Sems says, they’re able to trick the cell company employees into believing they’re you, because they use information that they've gathered from different sources, including maybe your social security number, your last known billing address. They may even have passwords to your accounts.
But sometimes, it’s the cell phone company employees themselves who are perpetrating the scheme.
Investor Michael Terpin lost $23.8 million dollars in cryptocurrency after the information on his SIM card was stolen. And tech-consultant, Seth Shapiro lost $1.8 million, blaming employees at his cell carrier for the swap.
But money isn't all they're after.
In a bold move, scammers broke into the Twitter account of Twitter's own CEO Jack Dorsey in a SIM swap scheme. They proceeded to tweet offensive messages until his account was shut down.
It led the company to turn off its Tweet By Text service in most locations, explaining, “We're taking this step because of vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication.”
Pietrocola points out, “If you have a corporate email, they could get into documents or into your VPN. Now, all of a sudden, they just had a treasure trove by breaking into this. Maybe they're able to get into the corporate network.”
How do you prevent this? Security experts say, call your cell provider and have them put a Personal Identification Number on your account. So, if anyone calls to make changes, they’ll need to have that number.