There is no doubt that wireless technology and device innovation have transformed our day-to-day lives, changing the way we work, play and stay in touch with family and friends.
Nowadays, mobile devices are more than phones — they’re where we do our banking, how we work when away from the office, how we shop and consume entertainment with movies, music and news on the go.
This shift in consumer and business behavior means there is increasingly more value attached to our devices than just the initial price tag. The applications used on our devices — and the information accessed through them — are extremely valuable and, unfortunately, increasingly attractive to criminals and fraudsters who want access to our information.
Account takeover fraud occurs when a criminal takes control of a wireless customer’s account and phone number so they can send and receive calls and texts as if they were the customer. The goal is often gaining access to the customer’s financial, email and social media accounts, and wireless phone numbers are usually targeted as the first step because many platforms and apps rely on a one-time PIN sent via text or phone call to authenticate their customers. These are criminal attacks and it’s an industry-wide problem that many are working hard — individually and collectively — to prevent.
Understanding the Different Types of Account Takeover Fraud
SIM swap fraud
Swapping the line assigned to a SIM card between devices is a legitimate service that allows customers to upgrade or replace a lost or stolen device. SIM swap fraud happens when a customer’s phone number is assigned to a new SIM card and mobile device without their knowledge or consent. Fraudsters may use the victim’s personal information or mobile account information, including phished passwords or fake IDs, to impersonate the real customer and make the SIM card change.
Port out fraud
Porting a phone number occurs when a customer chooses to change carriers but wants to keep their number. Allowing customers to port their numbers is a legitimate practice and an important freedom that helps customers choose carriers and plans that best suit their needs. Fraudulent porting happens when a fraudster gains access to the victim’s mobile account information, often by phishing the account password, to port the victim’s number to a new account at a new carrier.
What T-Mobile is Doing to Keeping Customer Accounts Safe
There is no silver bullet when it comes to data security and T-Mobile is constantly evolving its safeguards to respond to new risks and new ways used to commit fraud, including:
- Working with law enforcement and security experts to learn about new fraud techniques to anticipate new threats.
- Conducting extensive training of Care reps on how to spot scams and using the latest processes and protections available for customers.
- Continuously planning, testing, and implementing a variety of technical improvements to identify and respond to risks and fraud attempts.
How Customers Can Protect Their Accounts
All T-Mobile accounts are assigned a 6-15 digit PIN as a default. This is a non-negotiable protection applied to all accounts and a customer’s number cannot be ported without verification of that PIN. We also use this PIN to authenticate customers when they call Care.
Having a strong and complex PIN that is frequently changed and can’t be easily guessed or obtained is a simple effective way to secure an account. For the vast majority of customers, this is a reasonable level of protection. More information on updating the PIN on an account can be found here.
Customers may also choose to enable multi-factor authentication for access to their account via My.T-Mobile.com. More information on securing your T-Mobile ID is available here.
In a small number of extreme cases where customers have been victims of account takeover fraud, T-Mobile will work with customers individually to apply additional security measures that further prevent changes to their account.
(Note: If a customer believes someone has made unauthorized changes to their account, they should call T-Mobile immediately, either by dialing 611 from a T-Mobile phone or by calling 1-800-937-8997 from any device. T-Mobile also supports law enforcement investigations of specific fraud cases.)
Additional Steps Worth Taking
Remember, T-Mobile does not control how third-party services and apps, including social media platforms, banking and financial institutions, email providers and other services authenticate their customers. These service providers may control your sensitive and valuable information. To understand the protections available on those platforms, customers should work directly with those providers.
For answers to any questions about any of the above, T-Mobile and Metro by T-Mobile customers can dial 611 directly from their mobile to reach a Customer Care representative 24/7.