My phone number was temporarily stolen last month. Rather than just tweet about it, I decided to write a letter to my local MP, Jeremy Corbyn, with specific suggestions on how to combat identity theft and phone scams.
Dear Mr. Corbyn,
In the last month, I have been subject to multiple identity theft attempts and fraud scams. No permanent harm was done, but it was very distressing. Moreover, it highlights major shortcomings with the government’s regulation of personal data security, particularly for mobile phone companies.
On XX December, I received a text message from Three telling me that my registered billing address had been changed, even though I had not requested this. I was in Canada on holiday and unable to contact Three until I returned on XX January.
It emerged that someone had called Three on XX December pretending to be me (they only needed my billing address and date of birth) and successfully changed my billing address to “19 Haling Park Road, South Croydon, CR2 6NJ” — presumably a forwarding address. They then requested a replacement SIM card be sent there.
The SIM card would have arrived a few days later, giving them possession of my mobile phone number. They attempted to buy £650 of goods from Boots.com on my credit card. This attempt was stopped automatically, and when the scammers called the credit card compnay, they were unable to authorise the purchase because they didn’t know my PIN.
When I returned on XX January, I visited a Three shop and was given a new SIM card. I also changed my billing address back, and XX issued me a new credit card (with new number). Everything was back to normal — although on XXJanuary I received a call from a person with an Indian accent on 0333 338 1019, telling me that they were Three customer support; this was obviously untrue, so I hung up.
This is not an isolated case. It’s very likely the scammers obtained my phone number and billing address as a result of the massive Three hack last year (“Three mobile: Arrests made over data breach”, 18 Nov 2016; Three UK suffers major data breach via compromised employee login)
I was not informed about this hack by Three. Either they have not told all the customers affected, or they underestimated the number affected. In any case, this is a dreadful oversight. A cursory search on Twitter reveals several other people who have also received calls from 0333 numbers pretending to be Three customer support:
The Indian accent suggests the scammer is related to the massive operation described by the New York Times (“India’s Call-Center Talents Put to a Criminal Use: Swindling Americans”, 3 Jan 2017)
The security of mobile phone numbers is crucial. Phone numbers are used by messaging apps like Whatsapp, Facebook, and Twitter for identity verification. Banking websites and high security services use phone numbers as the basis for two-factor authentication. If someone gains access to my phone number — as they did for several days — they can reset my passwords, transfer money, and read my messages. And the danger is only growing.
The theft of a phone number is like the theft of your wallet, passport, credit cards, and diary. If it emerged that 130,000 passports had been stolen from the government, there would rightly be an uproar — mass firings, official inquiries, criminal investigations, and more. But nothing appears to be happening with this hidden digital theft.
The government must do more to prevent these kinds of scams. I am fortunate enough to be familiar with technology and scammers, but many people are not. Here are four specific suggestions on how the government could combat scammers and protect citizens:
- Require mobile phone companies to perform better identity checks. It is absurd that someone only needs my date of birth and address to pass as me; that information is readily available from many online and public sources.
- Require companies that have been hacked to disclose the hack with their best endeavours via post, email, and text message. They should contact not just all identified victims but, if there is a reasonable suspicion the hackers may have accessed more data, every single customer.
- Rapidly identify and shut down scam phone numbers, with the help of consumers reporting them directly. This could be coupled with smartphone apps that help consumers identify scam numbers themselves. The US FTC has run competitions to develop such scam identification apps; alternatively you could give the job to the talented people at gov.uk or MySociety. It would be money well spent.
- Work with other countries to identify and shut down large criminal operations of the type described in the New York Times.
Online and digital security is often treated as an afterthought compared to ‘real world’ crimes like burglary and theft. “Out of sight, out of mind.” This attitude must change. Identity theft can cause massive financial harm to citizens, and if recent events in the US election are any indication, it can lead to attacks on democracy itself.
As my local MP and Leader of the Opposition, I ask you to pursue this matter with urgency.
Photo CC-BY jamescridland