A new form of ID theft: account takeover

A new form of ID theft: account takeover

 – Tomohiro Ohsumi/Getty Images

When Tiffany Bennett got an email from her phone company saying the password on the account she shares with her husband Kevin had been changed, she didn’t think anything of it.

“He and I share an account and we do that sometimes. I meant to check with Kevin to see if he had done it and it slipped my mind,” she remembered.

After all, this was her cell phone, not a credit card or something.

“When I really knew something was wrong and put everything together was a couple hours later when all of a sudden my texting wouldn’t work,” she said.

Thieves had somehow gotten the username and password the Bennetts used to access their account with their phone company. The thieves may have hacked the phone company, or they may have hacked a different website where the Bennetts used the same username and password combination. However they got the information, the thieves logged in, changed the password and transferred Tiffany Bennett’s phone number to a new phone, locking her out.

“Her phone number still worked,” Kevin Bennett recalled, “it just rang on the phone that they had, and this stranger up in New York was getting all of her texts and phone calls. And that’s what they used to enroll in Apple Pay using one of our credit card accounts they also had access to”

The crooks used the phone number to impersonate the Bennetts with their credit card company. When the credit card company texted to say “Is everything OK?’ the thief could say “Yep, sure is!” Using their combination of credit card information and the Bennetts’ phone, the criminals ended up purchasing hundreds of dollars worth of stuff.

“Mobile phone account hijacking doubled in 2016,” said Mike Bruemmer, vice president of consumer protection at Experian. Hacking phones makes it easier for a fraudster to then hack into a bank account or credit card.

Phone hijacking falls within a type of fraud called account takeover, of which cellphones often are a key part.

“In 2016, account takeover fraud was about $2.3 billion worldwide, but it was up 61 percent,” Bruemmer said.

Thieves are now taking over all kinds of accounts, not just phone lines, and locking people out, according to Ken Meiser with ID Analytics, which uses sophisticated behavioral analysis to detect fraudulent activity.

“Card, auto, demand deposit accounts, checking accounts and 401(k) accounts” have all been targets, he said.

There are a couple reasons why account takeover fraud of all different kinds is blowing up.

“With the advent of the chip being placed in credit cards, it has lowered the value of stealing a credit card number. They’re moving on to other more lucrative types of fraud,” said Greg Goff, vice president of product management with LifeLock. (The company has provided underwriting support for Marketplace.)

When someone takes over your account, they can change your security questions and passwords. The nasty part about it is that when you call up to try and get your account back, you are the one who sounds shady — you don’t know your password or your security question. You sometimes don’t have access to your phone.

“It was a logistical nightmare,” recalled Tiffany Bennett. “Just with all our different accounts, making sure they were protected and explaining about the phone number, because they would want to call the phone number to verify. It was just a mess.”

The Bennetts were eventually able to get their phone back and the fraudulent charges removed. Experts say there are a few things you can do to limit the damage and risk of account takeover: First, do not use the same password for multiple accounts, including your phone.

LifeLock’s Goff said fraudsters count on this.

“Identity thieves buy thousands of hacked usernames and passwords and then just run bots to see where that login succeeds,” he said.

Other options to protect yourself include getting a separate, low-limit credit card for online shopping; don’t use public wifi to check sensitive accounts; and do use two-factor authentication. But what the experts come back to again and again: Don’t reuse passwords.