At 23:30 On Monday, June 10, my oldest daughter shook my shoulder to wake me up from a deep sleep. She said my Twitter profile appeared to be hacked. It turns out that things are much worse than that.
After rolling out of bed, I took Apple iPhone XS and saw a text message that read: "T-Mobile alert: The SIM card for xxx-xxx-xxxx has been changed. , seeing how T-Mobile took my cellular service, I could not call for help, so it's a useless message. Fortunately, at that time I still had a Google Fi SIM in Pixel 3 XL, so I called T-Mobile and told them my physical SIM is still in my iPhone and I have not allowed any changes to my account.
Also: Waves of SIM replacement attacks hit US cryptographic users
I managed to get T-Mobile to assign my phone number and return the service to my phone by giving them the SIM card ID and then sending them to one of the other four phone numbers in my account, then read back the code for confirmation. I asked why they would allow someone to call and take my SIM without my approval. The representative said they can not discriminate or say who is on the phone and as far as some key information is given then a swap can be allowed. It all looked good with T-Mobile at the time, but I still had to figure out what's going on with Twitter and later with Google.
I started using Twitter in 2006 to coordinate meetings with other mobile technology authors, and last week I had almost 10,000 Twitter followers. My Twitter ID is a number of 2,821 and I posted about 30,000 Tweets in the last 13 years. From now on, all this is taken away.
Since my Twitter meant little about me, mainly about my mobile text writing and the friendships I've been developing over Twitter over the years, I've made sure that I have dual-factor authentication (2FA) with this service. It turns out that 2FA with text messages sent to a cell phone may be useless when hackers steal your SIM card from you.
Also: Two-factor authentication: a scam list TechRepublic
Twitter has a form to fill in if your account is stolen, but it should work with your email address set for this Twitter account. Even when I regain my mobile phone, sending code to this number still does not allow me to access Twitter. I am stuck in a circle of hell with Twitter and Google at the moment and Twitter support will not work with me through other means to resolve the situation.
While Twitter is a free service, I still expect some level of help for someone who has had the same account for 13 years and can make thousands of people check my identity. If I can not get my Twitter account back, stay on line for a new account that I will have to recover from scratch.
Because Twitter did not work with me until I returned my Google Account, I went in to try to reset my password for Google services. It turns out that the hacker was a few hours ahead of me and has already changed most of the check boxes I've set up to reset my password. If you have a Google Account, I recommend that you log in to your settings and set the following in case you need to reset your stolen account password:
- Google Authenticator
- Mobile phone number for text code
- 8-digit backup code
- Another phone number associated with your account
- Email Recovery
- Month and year when you started using Gmail
I had some of this information but the hacker changed everything in the list above, except for one email address that is still under my control. I used this email to fill out the Google form every day last week by adding a lot of other details about the situation, but I still could not get Google to continue with my account recovery.
A few days ago, a message appeared on my Pixel 3 XL that my Google Fi SIM card was disabled. I've been using Google Fi for several years, and lately I'm enjoying a $ 200 credit after I purchased Google Pixel 3. There are a number of Google Fi representatives, but repeated calls to them do not show that nothing can be done without access to my Gmail account. My long-standing Google Fi number and service credit may disappear forever.
Also: How to use the Google Project Fi mobile service with each smartphone TechRepublic
Maybe I was naive, but I supported a lot of personal information in Google Drive. This includes tax returns, passwords at the expense of my wife in case I die, personal documents and spreadsheets, and almost everything I had on paper at home. As I change computers, share data with other people, and want backups, in case my house is burnt, I trust cloud services to store their data. I have to admit that I'm a little out of date right now and can move that data back to external hard drives and paper.
We pay for Google Drive, Google Fi, and Google Play Movies, so I hoped there would be some level of customer service for customers who pay. Telephone numbers are not available for customers who pay for services or those using only free services. Google is proud to collect my information and use it to help with search results. In this way, she has every kind of information on how I do my everyday life, including tracking my every move, tracking my business trips, seeing who I'm contacting every day, and more. Perhaps you think she will be smart enough to see when a stranger appears and completely changes the information in my account.
According to Gmail, my Google Account has already been deleted, so I'm not trying to just reset my password anymore, but I'm trying to reinstate my account instead. I have countless PR people, friends, family, and others who are in my long Gmail history and can not access this information at this time. I also have thousands of photos that can be lost forever if Google does not work with me to get my account back.
If anyone has any information on how to get Google to verify my identification honestly and restore my deleted account, I'd be happy to leave a comment below.
$ 25,000 for Bitcoin
Given that I had activated 2FA for my bank account and bank account information on Google Drive, it was only a matter of time before the thief began stealing my money. While my wife was concerned about my lost account on Twitter and Google, it was not until the criminal used my bank account to buy $ 25,000 in Bitcoin that she went ballistically.
My bank originally took the money out of my bills, so we called and told them it was a scam. We were told that the bank would investigate, but our accounts could be locked up to 45 days. In this way, we immediately made everyone in the family go to the ATM to get the maximum amount of money so that the bills can be paid. We also had to call all the new alumni to whom we gave checks, gifts so we would not punish them yet. It was an extremely tense week and the adventure is not over yet.
Also: Bitcoin blues: That's how she was stolen last year
In a few days, our bank turned the $ 25,000 fee and told us that the fraud department had caught the withdrawal of the ACH before it was fully processed, so neither my family nor the bank had lost that money forever. My first instinct was to change my bank accounts, but then I realized that every person and company I wrote a check for the last few decades has the same information so I trust the bank to protect my assets.
T-Mobile's trouble and success
My T-Mobile SIM was stolen on Monday, June 10, and then I managed to get the company to return it tonight. I went on a business trip, actually at Garmin Fitness Retreat, at Whitehigh, Montana, on Tuesday, June 11th. As I enjoyed the dinner with the group on Tuesday evening, when I arrived in Montana, I was stressed the next morning because so much was not known about my Google profile. Luckily, the prominent Garmin representative was sympathetic to my situation and took me to town to get a T-Mobile connection and try to block everything.
I arrived in the middle of Whitefish, but for some reason I still had no T-Mobile cellular service. Turn airplane mode on and off without success. That was when I discovered that the hacker turned off the Google Fi service, so I did not have the opportunity to call T-Mobile to find out what was going on. I found a Safeway local store with free Wi-Fi and contacted my wife through Facebook Messenger. Through all of these hacks it was interesting to find that Facebook is the only reliable and secure service under my control.
As she contacted my wife through Facebook Messenger, she contacted T-Mobile from my daughter's mobile phone while she was at home. Then T-Mobile confirmed that she took away the SIM card and gave it to someone else. I became furious until I heard this and told them that the same SIM is still in my iPhone XS and that I want T-Mobile to stop giving it and leaving it connected to the physical SIM card in my phone. I was told that this request is not possible, but the notes can be added to my account. As long as I had a PIN associated with my SIM, I still do not know how the thief managed to go the first time, I changed this PIN to the call.
Fortunately, I have a good friend at T-Mobile, who was very concerned about my dire situation and managed to get someone to contact me to allow my SIM card to be unchanged unless someone entered in the store with at least one means of physical identification. Since this requirement is applied to my account, my T-Mobile service remains under my control.
Unfortunately, my Google Account was linked to a number of services, including Google Chrome, and I saved hundreds of Chrome account passwords that the criminal already owns. The first evening I immediately changed the email and password for all accounts related to financial data. Over the next few days I went through any other account I could think of.
Also: Verizon wants to lock phones to protect consumers CNET
Convenient advice that served me well with my role as a mobile technical reviewer was to launch one of my phones for review and leave it in airplane mode. Then I went into Chrome on my phone to browse all sites where my accounts and passwords were saved. The thief could have kidnapped all of them, so in the last few weeks I was looking at them carefully.
Unfortunately, some services and websites will not allow me to change my password or email related to the service without having access to my Gmail account I used to sign up for these services. So at the moment I do not have access to services like Redbox and Movies Anywhere, except Twitter and Google, obviously.
Recommendations for your security
In addition to contacting T-Mobile, Google (useless) and Twitter (useless), I took and recommend that you take the following actions:
- Submit a police report to the local authorities
- Turn on the credit-fraud freeze signal with the three credit reporting offices
- Fill a report with the Federal Trade Commission
- Make sure your financial institutions know about possible identity theft
- Change the email and passwords for all accounts that may be related to the stolen account
- Consider using an account login email and password instead of just relying on Facebook, Google, or Twitter as a global sign in for services. If any service is stolen, you can collect everything like me.
- Consider using the password management software or letting your device, such as the iPhone, help you create extremely long and complex passwords. Now I'm researching some of these tools to raise the security level of all my accounts.
- Close old profiles you never use. By reviewing my Chrome data, I found many accounts and services that I no longer use, but they are still subject to hacker damage.
- While two-factor authentication is a minimum standard, look for options unless the text message is sent for review. If you take SIM stolen like me, 2FA is useless.
See also: How to protect yourself from a swap attack on a SIM card via WIRED
I'm considering changing my bank account number, social security number, and other accounts that are crucial to US life and work. I'm also surprised at the use of cloud services so my strategy at the moment is to use only OneDrive to back up photos while I write my passwords on paper and leave everything else out of the cloud.
If anyone has tips on how I could get back my Google and Twitter accounts, I would appreciate the feedback. Also, if you have other tips on what to do before and after a security breach, I would like to hear more in the comments.