Attention all crooks: If you’re going to steal someone’s SIM card from their phone and then steal their identity, Richard Bowen of Frisco is probably not your best target.
You see, Richard has a nickname. He’s known as “the Citigroup Whistleblower.” About 15 years ago, he warned his bosses at Citicorp that they were stuck with billions of dollars’ worth of bad mortgages.
Nobody listened to him, and the economy crashed.
He testified on Capitol Hill, was profiled on CBS’ 60 Minutes and spent the next decade and a half at University of Texas at Dallas teaching students and financiers about ethics, fraud and the travails of being a whistleblower.
Richard knows how to summon the attention of lawmakers. He knows how to expose irresponsible chief executives. And he knows how to attract media attention to his cause. Here, he does that again.
SIM swap fraud
His mission today is to inform you about one of the scariest identity theft crimes in existence. It’s called SIM swap fraud.
A SIM card — Subscriber Identity — is a key component of every smartphone. It contains information about you, most important being your contacts. It also connects your phone to your phone company.
SIM card theft can happen to anyone at any time, as long as a phone company employee allows it to happen. But there are safety protocols to lower the chances it can happen to you, which I’ll share.
To steal it, a crook doesn’t actually have to remove the card from your phone. All they have to do is convince your phone carrier that they are you, and you need a new card. That’s it.
Fooled T-Mobil
On June 23, a man walked into a Virginia T-Mobile store at 7:22 p.m. and convinced the clerk he was Richard Bowen of Frisco and he needed a new SIM card. It worked. Just like that.
Within minutes the crook gained access to and complete control of Richard’s phone. The crook was able to use two-factor verification codes texted to the crook’s phone to change the password on Richard’s Yahoo account. From there, the crook attempted to break into Richard’s crypto accounts and steal his savings.
This happened two months ago, but Richard still cannot access his crypto accounts despite weeks of trying. He fears his money was stolen, but can’t verify that yet.
A month after the theft, T-Mobile apologized for the unauthorized reassignment of his phone contents. The company faces no penalty for its error.
Richard tells The Watchdog, “I never realized that I would be fighting fraud almost full time in retirement.”
Hours on the phone
An hour after the SIM card theft, Richard received an email stating that Yahoo sent a text code to sign into his Yahoo account. But he didn’t ask for one. When he went to check whether he’d received the code, he learned his phone no longer worked.
“At this point I became very alarmed,” he says.
Richard filed a police report. He also filed a complaint with the FBI.
He’s spent hours on the phone with reps for his crypto accounts at Coinbase.com and Blockchain.com.
He calls both companies “minimally responsive, and I am getting the run-around.”
I talked to all companies involved.
A T-Mobile spokesperson who asked not to be named tells me that SIM swaps “are an industrywide problem that all providers are working to fight.”
The company adds that it does have safeguards to prevent fraud and recommends changing passwords and PINS. Although T-Mobile is responsible for this mishap, it declined to comment on Richard’s case.
A spokesperson for Coinbase asked not to be named. The company describes itself as a secure online platform for buying, selling, transferring, and storing digital currency. The spokesperson tells me Richard did not lose any money.
“The company flagged and locked the account once the password had been reset from an unknown device,” the spokesperson adds. “We are currently standing by to transfer his original fund into a new secure account pending Mr. Bowen completing the identity verification process.”
Coinbase adds, “This issue is not a crypto or Coinbase specific issue. Rather, it affects every aspect of our digital lives.”
Brooks Wallace, a spokesperson for Blockchain.com, which describes itself as “a cryptocurrency financial services company,” tells The Watchdog: “Our customers have sole control of their funds and accounts with a self-custody wallet. The company never has access to customer accounts or funds.”
Here we go again. This time he’s warning about how to avoid a personal economic crash. Unlike last time, people better listen.
How to avoid SIM card theft
Key passwords and PINs should be changed. Use complex passwords for your phone, too. Multiple digits work best.
Search for information on your phone about how to reset the default SIM card lock.
Signs you may be a victim are: Your phone stops working; you can’t make calls or send texts; and you learn of activity in your name that you didn’t do. Also, you can’t get into your accounts.
Other warnings: You receive a message requiring you to restart your device. Or you’re locked out of your accounts. Or your contacts are getting messages from you that you didn’t send.
Be careful what you post on social media profiles. Obviously, keep off your mother’s maiden name, maybe your birthday, too, and other possible answers to security questions. In addition, SIM swapping is also used to hijack social media accounts.
Experts say the “two-factor” authorization where a code is texted to your phone is not all that safe. Some recommend using Google Authentication instead. You can research that.
Through your phone’s settings, you can add a pin code to your SIM card. Research how to do that on your phone. When I did mine, the original code was my phone carrier’s default numbers. Consider adding a longer PIN.