Resetting an account's password is like having your hardware store make a new key to your home. Many use their phone numbers as a way to retrieve temporary codes to change their passwords for convenience.
But that method is also convenient for thieves looking for ways to access your most important accounts online. In some cases, knowing your name, your phone number and your phone’s carrier are all that a thief needs to inflict real damage.
NBC 5 Responds found new federal regulations could help better protect you from these kinds of schemes in the future, but for now, it’s wise to implement stronger protection yourself.
To start, ask yourself: How many accounts do you have tied to your phone number for security? And if someone stole your number, could they gain access to what matters most?
That’s what happened to one man in Joliet, who tells NBC 5 Responds his worst fears came true when out of the blue, his phone stopped working.
"I went to make a call and it wouldn’t make a call," Phil Michno said. "I log into my email and I wasn’t able to, it said 'Password Changed.'"
To find out what was going wrong, Michno said the first call he made was to his phone carrier: Boost Mobile. But the call left him with more questions than answers.
"I called Boost Mobile, and I said 'Hey, what's going on with my phone? It’s not working.' And they said 'Oh, we see that you changed to another company,'" Michno explained. "I said 'I never changed to another company!'"
Michno said the Boost Mobile representative told him they had received a request – allegedly from him -- to transfer his number to another carrier.
But Michno was not the person who made that request, a point he relayed to the new carrier his phone number was moved to in a conference call with Boost Mobile.
Feeling out of the loop? We'll catch you up on the Chicago news you need to know. Sign up for the weekly Chicago Catch-Up newsletter.
What happened to Michno is called "SIM swapping."
The way SIM swapping works is a scammer, imitating you, convinces your current phone carrier to switch your number to another company through your "subscriber identity module" or SIM.
That SIM is then virtually connected to the thieves' device, and now, they have access to everything on your phone, including password recovery texts. As they arrive, a scammer is sitting right there, receiving them.
SIM Swapping is a scheme that the Federal Communications Commission reports hundreds of people fall prey to each year.
In Michno's case, the thieves went for his CoinBase account holding $135,000 of BitCoin, savings he says were meant to be the foundation of his daughter’s college fund.
Michno said when he contacted CoinBase to warn them he had been hacked, they told him it was too late. "They wrote, 'Oh, we've found that you've been the victim of a SIM swap.' And all of your bitcoin has been stolen," Michno said.
In a statement, CoinBase told NBC 5 Responds it is prohibited from sharing details about Phil’s loss.
In most cases, the company said it "does not cover any losses … due to a compromise of a customer’s login credentials."
Michno said his case is now in the hands of the FBI and that the Bureau told him many people are falling victim to SIM swapping schemes. And the longer you have had your phone number, the more information a hacker can find that is likely out there and tied to your number.
The FCC said with the number of customer data breaches increasing over the last few years, more customer info, like a person’s phone number and carrier, are accessible in illicit markets on the dark web.
That’s why Michno believes phone carriers have a responsibility in protecting their customer’s information and phone numbers from unauthorized transfers.
"Boost Mobile gave away my number. They were my carrier, they did not protect my information," Michno said. "These cell phone carriers need to be responsible for people’s information."
For its part, Boost Mobile said it is "committed to investigating [Phil Michno’s] issue and discovering how the fraud occurred."
A company spokesperson also said it recently "implemented several procedures … to prevent fraudsters from manipulating the system."
Those kinds of customer protections could soon be mandatory across the board in the United States.
The FCC has proposed rules that would require phone carriers to do much more to authenticate if a customer is really the person requesting a phone number change to a new device.
How to Protect Yourself From SIM Swapping
While new federal rules for carriers could mandate stronger protection, there are some ways you can protect yourself.
First, contact your phone carrier to see if they offer any kind of protection against unauthorized transfers.
These services are called “number blocking” or “number locking” and sometimes are as simple as checking a box in your profile. If that service is not available, the FCC suggests asking your carrier if you can set up a number or password required in order to transfer your number to a new device.
Another way to protect yourself is to use two-factor authentication for passwords. To learn more, click here.
For more tips on preventing a SIM swap, watch the video below.