Sharon Hussey of Bethesda, Md. got scammed out of $17,000 even though she employed two-factor authentication (2FA) on her phone. With 2FA, before you can open an app, you have to type in a code that is sent via text to your phone. But there are ways that bad actors can get around this and one of those ways is via a technique called SIM swapping. So with this in mind, let’s dive into the unfortunate events that cost Ms. Hussey $17,000.
According to WJLA, the ABC affiliate in Washington D.C., Hussey received an email thanking her for purchasing a new phone with Verizon. Shortly thereafter, Bank of America notified Hussey of some changes to the contact information for her account. The thing is, Sharon did not buy a new phone from Verizon, nor had she changed the information for her Bank of America account. When she tried to call Bank of America to see what was going on, she couldn’t make the call since her phone was disconnected from cellular service.
Once the thief had her SIM card in his phone, he was receiving all codes generated by 2FA
When she tried to use her computer to access her Bank of America account online, she couldn’t because 2FA required that she type in a code from her phone that she could no longer receive. And within minutes, $17,000 had been removed from her bank account. She told WJLA, “Initially, I didn’t realize how big of a deal it was. I thought I had handled it on the first day by calling the bank, calling Verizon. Figuring things out,” said Hussey. But as she added, “And the bottom just kind of dropped out.”
SIM CARD ALERT: Sharon Hussey, who lives in Maryland, lost thousands after someone walked into a Verizon store in California & got a new sim card using her phone number. She breaks it all down. @7NewsDCpic.twitter.com/C8vKJX2wM0
— Scott Taylor : 7 News – WJLA TV (@ScottTaylorTV) January 24, 2024
What happened, according to the victim, was that someone walked into a Verizon store in California, and purchased a new phone using Hussey’s current phone number to activate the new handset. As soon as the new phone was booted up with a new SIM card, connected to Hussey’s phone number, Sharon’s phone went dead. Even though she was able to contact Bank of America using a landline, it was already too late as her $17,000 was gone.
Part of the reason why Hussey was so vulnerable was because she had enabled 2FA. Once the thief had a new SIM card for her phone in his phone, all 2FA codes went to him allowing the thief to easily open all of Hussey’s apps on his newly purchased handset. Hussey realized this herself when she said, “And I have two-factor identification which ended up biting me in the face when it all came down to it. That was the thing that completely hijacked everything. They had complete control of my phone and there was nothing I could do about it.”
Alex Quilici, CEO of YouMail, a visual voicemail and Robocall blocking service, explained how SIM swaps work. “The bad guys convince the telephone company that they have the SIM for your phone number and the minute the phone company does the swap they are in control of your number,” said Quilici. “If you’ve been doing two-factor authentication everywhere to your mobile phone number, if someone else gets that mobile phone number they can authenticate as if they are you,” he added.
For three months, Bank of America refused to credit Hussey for the $17,000 that was stolen. Eventually, the bank changed its mind and refunded the $17,000.
Verizon recommends that you do certain things that can stop you from being the victim of a SIM swap
To make sure that this doesn’t happen to you, Quilici says, “The number one thing is to make sure you get a PIN or a number porting PIN with your carrier. That requires a special code that hopefully only you have that needs to be given to the carrier before they do the SIM swap.”
Verizon also has a list of things you can do to prevent being the victim of a SIM swap:
Use strong and unique passwords. Do not use the same passwords for your social media and financial apps. Despite what happened to Sharon, Verizon still recommends enabling two-factor authentication wherever it’s available.
Verizon says that you should be cautious of unsolicited texts, e-mails, and calls. If you detect a sense of urgency and feel that the other party wants you to act immediately, do not respond to the message and delete it.
If you get a message from your carrier saying that your service is being disconnected and you did not request it, call the company from a landline ASAP to determine if the message is legitimate. If you remain alert and cautious, and greet text messages that feel “off” with skepticism, you can give yourself a fighting chance against a SIM swap.