FTC chief technologist had phone account hijacked

FTC chief technologist had phone account hijacked
© Getty Images
 
The chief technologist of the Federal Trade Commission (FTC) is sounding a warning after having her cell phone account hijacked: It could happen to anyone. 
 
Lorrie Cranor blogged about her experiences on Tuesday. 
 
ADVERTISEMENT
“A few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers,” she wrote. 
 
“My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft.”
 
According to Cranor, not only is account hijacking a growing problem, it is growing faster than other forms of identity theft. 
 
In January of 2013, it comprised 3.2 percent of the identity theft complaints logged by the FTC. In January of this year, it represented 6.2 percent.
 
Cranor wrote that all four major carriers let customers add a password or pin to their accounts to increase security. But without that, hijacking an account is as easy as matching the last four digits of a social security number with a telephone number. 
 
And matching a cell phone number to a carrier is as easy as Googling the number — many of the results will have that information. 
 
Cranor notes that the problem is bigger than merely the costs incurred by the theft or the missed phone calls. 
 
“This crime is particularly problematic due to the growing use of text messages to mobile phones as part of authentication schemes for financial services and other accounts,” she wrote. 
 
“The security of two-factor authentication schemes that use phones as one of the factors relies on the assumption that someone who steals your password has not also stolen your phone number.”
 
Hijacking a cell phone account to break into other accounts is not a new problem. In a widely publicized attack in 2014, indie developer Grant Blakeman found his Gmail and Instagram accounts hacked through just that method.