Phone Hacked

[raptor1956]

I noticed my phone bill was much higher than it should be and when I looked back I found the last two bills were way higher than normal.  My bill averages about $96USD/month and this months bill was $550.44 while the previous bill was $972.85.  I have autopay so I don't always review the details of the bill but fortunately this time I did.

So, I first contacted my credit card company as I wasn't sure what was going on and had my card turned off.  I then called Verizon, but since it was late at night I had to call this morning to actually talk to anyone.  It looks like someone managed to get access to my Verizon account in April and added phones to the account -- phones which have never been used since then.  Verizon suspects they were taken out of the country.

Interestingly, back in June the text messages Verizon sent each month started coming in Spanish, but I didn't pay much attention to it.  All subsequent texts from Verizon were also in Spanish.  I guess I should have suspected something was up, but I get so many texts and phone calls and emails from scammers that I just ignore them and assumed this was some kind of phishing effort.

So, it looks like Verizon is going to reimburse me for the over charges but there fraud department needs to check into it so I wont know for sure for 3-5 days.

I know this is just the way the world works these days, but it would be nice if companies made a greater effort to protect out data and not just work to exploit it for there gain.

So, with Verizon on hold I called the my credit card company to have the card turned back on but they said I need to keep it turned off until a new card is sent which means I'm unable to buy anything from Amazon today.


Brian

[edy]

It would be interesting to know how this fraud got pulled off exactly and what security measures were in place to detect and avoid it in the future. For example, did somebody call Verizon and claim to be you (somehow provide information from your Verizon bill) and once verified, proceed to request SIM cards to be sent and activated with additional phone numbers, or even worse, phones? Which address would they have sent it to, and if not your home, how could they have obtained the items (porch pirate, Verizon store in-person identity fraud)?

If they did this online, and logged into your account, could they have added services and again, to what address could they have sent the items? Or did they arrange to pick up at a store and then get the items by showing false credentials? Who verified they were who they claimed they were?

Finally, this possibly was NOT a malicious criminal act but just a case of an internal mix-up by an incompetent Verizon employee who keyed in the wrong number and cross-linked unrelated accounts. It is good that they are reimbursing you for the screw-up but hopefully they can explain how this happened so you and others can learn how to protect ourselves from this in the future, especially if this was a "hack".

[Rick Law]

I noticed my phone bill was much higher than it should be and when I looked back I found the last two bills were way higher than normal.  My bill averages about $96USD/month and this months bill was $550.44 while the previous bill was $972.85.  I have autopay so I don't always review the details of the bill but fortunately this time I did.
...
...
So, it looks like Verizon is going to reimburse me for the over charges but there fraud department needs to check into it so I wont know for sure for 3-5 days.

I know this is just the way the world works these days, but it would be nice if companies made a greater effort to protect out data and not just work to exploit it for there gain.
...
...
Brian

That is one of the issues why I stopped autopay.  It is fortunate that Verizon is going to reimburse you.  I found that once they already have the money, they are not always eager to help in giving it back.  Over a decade ago, a similar issue occurred to me.  I decided it is easy to work with them while I still hold the money, so I no longer use autopay on anything.

[wraper]

I'd guess that your account password was leaked because you used it on some other website which was hacked.

[boffin]

I'm curious, what exactly was hacked.  Was the data usage much much higher? Were there fraudlent texts being send?  Actual (and longdistance) phone calls made ?

[Stray Electron]

I'd guess that your account password was leaked because you used it on some other website which was hacked.

  OP, did you use the same password for Verizon and any other account?

   I'm wondering if someone might have hacked the other account and gotten your PW and then found that it worked for Verizon also.

[james_s]

I'm curious, what exactly was hacked.  Was the data usage much much higher? Were there fraudlent texts being send?  Actual (and longdistance) phone calls made ?

It sounds like they ordered physical phones and then likely shipped them off elsewhere to be used on another provider.

[Halcyon]

For those that are curious on how these types of "scams" work, they rarely involve hacking of any kind. What is more concerning is they usually involve theft of ID. These types of scams are not uncommon in Australia. Have you noticed any mail missing from your mailbox? Do you securely dispose of identifying documents such as bills, bank statements etc...?

Quite often these grubs will gather enough personal information about you to satisfy security checks with these companies. Phones and other services can usually be ordered online or over the phone with little more than your name, address, phone number and date of birth. They send the handsets overseas so that any IMEI blocks in the originating country are ineffective.

Where to go from here?

If your ID has been stolen, or you suspect it has, you need to start checking all your paperwork. Regularly check your statements and order copies of your credit file (so you can see if there are any unusual credit enquiries or new accounts being set up in your name). Once your information is out there, it's impossible to get it back, you just need to monitor it.

If you have noticed mail going missing and/or the lock to your mail box has been broken, make a Police report. They might not be able to do anything about identifying offenders, but at least there is a record of it in case you need it later. Consider a PO Box rather than relying on your home (insecure) mail box.

Speak to your service providers and see if you can set up one-time passwords or even a verbal password on the account which would need to be quoted every time you want to make a change to your services. Even if someone has your personal details, they are very unlikely to know that password.

[raptor1956]

I'd guess that your account password was leaked because you used it on some other website which was hacked.

Nope, I have separate passwords for everything.

Also, when I discovered the problem I tried to logon to my Verizon webpage but I was locked out due to too many attempts that failed.  So, my guess is they tried to guess my password and failed.

But, just how they were able to get access and exactly what kind of access is hard to say.  I asked them but they were not real helpful in answering that question.


Brian

[raptor1956]

I'm curious, what exactly was hacked.  Was the data usage much much higher? Were there fraudlent texts being send?  Actual (and longdistance) phone calls made ?

As best I can tell they bought some phones but the Verizon rep said they were never used.  She said it's likely they were taken out of the country and activated someplace else.

It still begs the question of how they were able to buy phones with my account.


Brian

[james_s]

They obviously managed to log into your account somehow, I would certainly change the password if you haven't already. Did you use the same password you have used elsewhere? Those get leaked from time to time. Also do you have "secret" questions set up to recover a lost password? Often the choices you get for that are fairly easy to find out once someone knows who you are. Things like what street did you grow up on or what school did you go to, mother's maiden name, etc that's all fairly public information.

[wraper]

They obviously managed to log into your account somehow, I would certainly change the password if you haven't already. Did you use the same password you have used elsewhere? Those get leaked from time to time. Also do you have "secret" questions set up to recover a lost password? Often the choices you get for that are fairly easy to find out once someone knows who you are. Things like what street did you grow up on or what school did you go to, mother's maiden name, etc that's all fairly public information.

In countries like US, UK and Australia it could be done over the phone as much as I'm aware. Would not fly in Latvia where I live.

[raptor1956]

For those that are curious on how these types of "scams" work, they rarely involve hacking of any kind. What is more concerning is they usually involve theft of ID. These types of scams are not uncommon in Australia. Have you noticed any mail missing from your mailbox? Do you securely dispose of identifying documents such as bills, bank statements etc...?

Quite often these grubs will gather enough personal information about you to satisfy security checks with these companies. Phones and other services can usually be ordered online or over the phone with little more than your name, address, phone number and date of birth. They send the handsets overseas so that any IMEI blocks in the originating country are ineffective.

Where to go from here?

If your ID has been stolen, or you suspect it has, you need to start checking all your paperwork. Regularly check your statements and order copies of your credit file (so you can see if there are any unusual credit enquiries or new accounts being set up in your name). Once your information is out there, it's impossible to get it back, you just need to monitor it.

If you have noticed mail going missing and/or the lock to your mail box has been broken, make a Police report. They might not be able to do anything about identifying offenders, but at least there is a record of it in case you need it later. Consider a PO Box rather than relying on your home (insecure) mail box.

Speak to your service providers and see if you can set up one-time passwords or even a verbal password on the account which would need to be quoted every time you want to make a change to your services. Even if someone has your personal details, they are very unlikely to know that password.

This is a distinct possibility --  I live in an apartment complex and I've found transients rummaging through the garbage more than once.  I used to shred all my documents before disposal but admit to not doing that all the time. 

Companies like Verizon are not going to put additional safeguards in place as they make money selling stuff and thieves buy from them so there's little incentive to enact tougher protocols.  You can't go a week without another report of a data breach and the companies that have been breached rarely pay much of a penalty so, once again, there's little reason as far as there concerned to doing anything more to stop it.  When Equifax was hacked and 143 million people had there most important data stolen the first thing Equifax decided to do was promote there privacy protection package -- they were determined to profit from the hack.

We live in times where little people have zero influence in how things are governed and large money interests have total say.  One particular billionaire stated he could shoot someone in broad daylight and get away with it -- I leave it for you to guess who that billionaire might be.


Brian

[Halcyon]

I live in an apartment complex and I've found transients rummaging through the garbage more than once.  I used to shred all my documents before disposal but admit to not doing that all the time. 

Yep, then I would almost guarantee they've gone through your bins and/or mail boxes. It's not hard to pick those crappy locks or find universal keys for locks they put on mailboxes in apartment buildings. The guys that "collect" the information are not normally the ones doing the scamming/fraud. Sometimes they are paid to go out and steal mail by others higher in the food chain. Pressure your body corporate to install CCTV around mail boxes.

[wraper]

At 3:00

https://youtu.be/LlcAHkjbARs?t=181

[wraper]

I live in an apartment complex and I've found transients rummaging through the garbage more than once.  I used to shred all my documents before disposal but admit to not doing that all the time. 

Yep, then I would almost guarantee they've gone through your bins and/or mail boxes. It's not hard to pick those crappy locks or find universal keys for locks they put on mailboxes in apartment buildings. The guys that "collect" the information are not normally the ones doing the scamming/fraud. Sometimes they are paid to go out and steal mail by others higher in the food chain. Pressure your body corporate to install CCTV around mail boxes.

Considering humongous data thefts form credit rating agencies and insurance companies, it does not even matter. https://www.ftc.gov/equifax-data-breach

[bitwelder]

Do not underestimate the power of social engineering...

https://youtu.be/lc7scxvKQOo

[NiHaoMike]

Also do you have "secret" questions set up to recover a lost password? Often the choices you get for that are fairly easy to find out once someone knows who you are. Things like what street did you grow up on or what school did you go to, mother's maiden name, etc that's all fairly public information.

Just generate and enter random strings for those to effectively disable that route of entry for sites that do not already have a way to disable it.

[Halcyon]

Do not underestimate the power of social engineering...

I completely agree, social engineering can be a powerful thing. However, it's unlikely. Social engineering tends to target specific people for a specific reason and is usually done by smarter, more educated crooks. If all they wanted to do was to order a free phone that they could sell on ebay, it's easier to steal someone's mail or go through their trash.

[madires]

Either the bad guy got your login credentials by some leak/hack or used data from other hacks in combination with social engineering to impersonate you when calling the telco. Some basic details like name, address, phone number, day of birth and SSN are often sufficient to persuade the call center agent. If supported by the telco define some secret word for the phone based customer service to make it harder for the fraudsters.

[Halcyon]

Either the bad guy got your login credentials by some leak/hack or used data from other hacks in combination with social engineering to impersonate you when calling the telco. Some basic details like name, address, phone number, day of birth and SSN are often sufficient to persuade the call center agent. If supported by the telco define some secret word for the phone based customer service to make it harder for the fraudsters.

As I said, this is highly unlikely.

Apartment buildings with a large number of letter boxes are very common targets. They often use poor quality locks (with 'bump keys' readily available from ebay etc...) and not all have CCTV. It's not unusual to see people checking mail so it's likely to go unnoticed at a glance. It's quick and cost-effective method to gain a lot of personal information from one place.

A huge amount of personal information can be gained from relatively mundane mail and most businesses will accept rates notices, bills, bank statements etc... as forms of ID.

[raptor1956]

I'm not sure if the phones they received were picked up at a retail outlet or from an online source -- either way the security protocols are inadequate.  Again, the companies care too little about our privacy and far too much about there profit.


Brian