Three years ago, on Tuesday, March 20th, 2018 I had my SIM card stolen. What happened to me should never happen to anyone. It did nonetheless, and now I hope that I can help someone, somewhere avoid the hell I went through. I don’t want sympathy, and that’s not what I’m after. After three years of hearing about more and more people experience SIM card theft, I hope to help others avoid what I went through. And I want change. It’s time that leaders in the telecom industry finally step up and make the changes necessary so that SIM card theft doesn’t keep happening.
At 10:57 am on March 20th, 2018, I made a call to my sister. She didn’t answer, and I resumed my work. About an hour later, I went to make another call. As I dialed the number of the person I was calling, my phone line was dead. After my call attempt, I was given the message “Not registered on network”. My initial thought was that if I restarted my phone, everything would work fine. Unfortunately it was not. After restarting my phone, my phone line was still dead and I receive the same message “Not registered on network”.
Despite the message I received after multiple attempts to make a call, I was not too worried that something was wrong with my own phone line. I resumed working and thought that the T-Mobile network must be down.
At about 12:30pm, I checked one of my email accounts. There were seven new messages, and four emails stood out. Those four emails included: 1) A log in to my email address had occurred from a new IP address. 2) My email address password had been successfully changed. 3) Someone had logged in to my Coinbase account from a new IP address. 4) My password had been successfully changed on my Coinbase account.
When I saw those four emails, I knew immediately that my phone issues were due to a SIM card hack. After one click inside my email account, I was locked out of that email account. I immediately tried getting into my Coinbase account, with no success. My next thought was to contact the Coinbase online support. However, I had a problem. I didn’t have access to my phone or email address that was associated with my account. Before I could recover my Coinbase account, I had to regain access to either or both my phone and my email account.
Someone had received a new SIM card for my phone, and in turn, had accessed my Hotmail email account. Within minutes of accessing my Hotmail account, they accessed five cryptocurrency related accounts, and a Twitter account. How could it happen? I was home working, with my phone. As a small business owner that has worked from home for years, my phone is everything. I could have never imagined what was happening, or how it would happen.
After unsuccessful attempts to regain control online of the accounts that I knew I had lost control of, I went to the nearest T-Mobile store. While there at the T-Mobile store, I was able to regain control of my phone and get a new SIM card for my account. Unfortunately, someone had full access to both my cell phone account and my Hotmail account for over four and a half hours.
The T-Mobile store employee that I spoke with told me that someone in Iowa had been given a new SIM card for my account. IOWA!!! How? WHY? I live in Utah, and had been home, making calls from my phone throughout the morning. I was floored by what I was told. As I asked for more details, the T-Mobile rep did not give me any more details, and asked that I call the T-Mobile customer support phone number.
Shortly after getting my new SIM card, I called the local police to report what had happened. They took my information, but told me that there was little they could do. I then called someone that I know at the FBI in Salt Lake City. They put me in touch with a person in the FBI’s cyber crimes unit division. That person took almost an hour of his time to talk with me. He told me that this was not uncommon, and unfortunately there was little they could do unless I’d lost a significant amount of money (over $100,000). They just do not have the resources or time to pursue every case, and unless the loss is over six figures they would not pursue it.
I told the person at the cyber crimes unit that I wasn’t going to lose six figures, as I didn’t have that in the accounts I’d lost access to. He then told me step by step what T-Mobile would do to avoid cooperating with both me and any law enforcement including the FBI. Over the course of the next two months, this person at the FBI proved to spot on.
Over the course of the next two days, I called T-Mobile numerous times trying to get help and answers. Each call led to another customer service rep feeding me the same bullshit response. I’d ask for a manager, only to get no further than what the entry level support was providing. Even though I had my phone back, I still did not have my email account access that I had lost. On four occasions in the 24 hours after I regained access to my phone, I called Hotmail’s customer support and spent four hours on hold EACH call. Their support was somehow worse than T-Mobile’s.
Two days after the SIM card theft occurred, on Thursday March 22nd, I went to another T-Mobile store to seek answers and ask for help. This was the third T-Mobile store that I’d visited for help in less than 48 hours. Luckily for me, the guys working the store were somewhat helpful.
They looked up my account, and confirmed what I had been told by the T-Mobile rep when I regained access to my account. Someone in Iowa had went in to a T-Mobile reseller and was given a new SIM card for my account at 10:59 am on March 20th. This T-Mobile rep was kind enough to show me the screen to my account history, which I took a picture of.
Why would a T-Mobile rep give a SIM card to someone in Iowa, just 2 minutes after I made my last call while I was in Utah? Since T-Mobile clearly knew which store, and which worker gave my SIM card to another person, why wouldn’t they cooperate and find out who took my SIM card? I wanted to know. That person also hacked my email account, and a number of other accounts.
Just as I was told by the FBI cyber crimes unit in Salt Lake City, T-Mobile never cooperated. They flat out refused to answer my questions. As bad as they were, Microsoft and Hotmail were equally bad. It took me three weeks to regain access to my Hotmail account. THREE WEEKS! They didn’t lock my account for nearly a week. Imagine some hacker having full access to your email account for a full week. What would they see? What information could they get?
While I believe that T-Mobile and all other cell phone carriers shoulder responsibility to prevent SIM card theft from happening, I believe there are things everyone can do to limit their own risk if SIM card theft does occur.
Here are four things that I’ve learned that everyone can do to protect themselves in case of SIM card theft.
- Set a PIN code to your cell phone
- Delete your important emails from your email inbox
- Don’t use SMS as your 2-Factor Authentication
- NEVER leave cryptocurrency on an exchange
1. Set a Pin code to your cell phone. I didn’t even know this was an option three years ago. From what I’ve learned since, I know that it can’t fully protect SIM card theft. However, it’s a small step that may be a deterrent.
2. Delete your important emails from your email inbox. Once the person had my SIM card, they took over one of my email addresses very quickly. They had full access to that email account for nearly a week. My experience is not unique. A study by Barracuda and UC Berkeley found that just over a third of hacked corporate email accounts sustained attacks for more than a week.
Imagine what hackers will find in your email if they have access for one day, let alone a full week! Think how much someone can get to know about you, your family, your friends, your interests, your work, etc., if they have access to your email account. How easy would it be to destroy your entire life? This experience has led me to think more about what emails I send to people. What if a hacker gained access to the persons email that I am sending it to. Many people never delete their emails. What am I ok with sending if someone with malicious intent reads the emails I send?
3. Don’t use SMS as your 2 Factor Authentication for website login security. Once someone has taken over your SIM card, they will take access to every single account that you have that uses your phone numbers 2 Factor SMS Authentication. If a company only offers SMS for 2 Factor Authentication, they have no clue what they are doing in their cyber security department. There are other options like Google Authenticator, and many others for 2FA. Don’t ever fall for the SMS 2FA trap!
4. Never leave cryptocurrency on an exchange. I learned the hard way. Once someone gets access to your account, they can transfer whatever crypto you have to another wallet. When it’s gone, it’s gone. Good luck getting help from Coinbase, or any other exchange. It’s impossible. The person who took my SIM card also took all my crypto that I had left on three different exchanges. They also took access and stole all of my crypto that was held on two other wallets that I had. This all could have been avoided by simply keeping crypto on a hardware wallet. You may want to consider a Trezor, or Ledger hardware crypto wallets. There are others that are also worth considering.
In the summer of 2018, I organized and hosted a blockchain and cryptocurrency conference in Park City, Utah. Near the end of the conference, the topic of SIM card theft was brought up. I mentioned my experience, and to my surprise, at least half a dozen others spoke up and mentioned that they had been the victims of SIM card theft as well. Since that conference in July 2018, I’ve had a number of other friends reach out to me and let me know that they too have been the victims of SIM card theft. Unfortunately, SIM card theft is happening far too often.
Ultimately, I hope for change within the telecom industry so these things don’t continue to happen. When they do happen, people need to be held responsible. T-Mobile has never once provided me an answer to my question of who receive my SIM card. There are multiple cameras in every single T-Mobile store I’ve ever been in. They could have found out if they wanted to.
Like I was told by the FBI on the day it happened, T-Mobile would not cooperate. It makes me sick that they would protect the person stealing a SIM card over one of their customers. Who does that? Seriously. There’s too big to fail, and then there’s “too big to care”. After months of trying to get answers, they gave me this weak letter, and a slap in the face “shut up and go away” settlement of very small amount.
It is my hope that everyone can take something away from what I learned from my SIM card theft and limit their own risk. If you think it can’t or it won’t happen to you, then you leave yourself completely vulnerable to everything that happened to me. Trust me, you’d rather not have that happen.
BRYAN GERRITSEN says:
Very horrible and sad experience you had, and very helpful warning to all of us of what may happen, and the 4 steps we can take to minimize this risk and types of events. Thank you for sharing this story, and your helpful comments and suggestions. We should all prepare and be careful.