Last night @ 10:04 PM — nearing the bedtime hour and minutes after AT&T fraud hotlines closed — the notices started flooding in.
A legacy email password was changed.
That led to Facebook being compromised.
Which led to my cell phone number being coughed up.
Then. Ugh, then…
My mobile phone went offline.
And that is the hole you can’t dig out of.
Let’s be clear: I use protection.
I’ve set up 2-factor authentication on my major gmail accounts, my applications and all of my crypto products — and well as a do not port on my phone.
But I missed one very, very old gmail account (like most I unfortunately have a random one I’d forgotten about) and — even though it was merely a blackhole of spam email — that loophole was compromised.
That was fixed easily enough, I immediately sprung into action, changing passwords in real time — both Gmail and Facebook have really simple tools to notify of a security breach, prove its you, and update your account. Kudos to both of them.
But once your phone gets taken over, you are in deep deep trouble:
- You will wait on hold for 30 min for AT&T’s typical customer service to answer.
- They will explain to you that, yes, indeed, a few minutes earlier someone had ported your SIM to a new SIM. Why in God’s name that was possible — even with a “do not port” set up for the phone — the customer service representative does not know.
- Said rep will then explain to you that you’re basically shit-out-of-luck. They simply cannot do anything to change it back because their Fraud Prevention Group is closed for the evening. They are open during “normal business hours.” That’s right, because hackers only work during normal business hours.
Meanwhile, said hackers are exploring any/all loopholes they can to crack your 2-factor authentication to get to the real stuff: your crypto accounts.
With my phone contact list, they tried some end arounds. At 11:00 PM, my ex-wife (who maintains my last name, so was a natural launchpad) started receiving terrorizing calls on her home phone.
They called over and over and — through a voice modulator, no less — they started demanding,
“Where is Dave?”
Besides weirding her out, they didn’t accomplish much.
Meanwhile, AT&T is on the line. They’re telling me to go to sleep. To call back the next morning.
I become somewhat hostile, and demand the Manager. The Manager is prepared for this. She says they are based in the Caribbean and they have no way of solving the problem (I picture them in an open-air call center under a thatched roof, with the ever-so-distant sounds of Island music floating in on the warm breeze).
“Call the Fraud Hotline tomorrow,” she says.
They open in 9 hours.
Then horrifically, she launches into the standard closing pitch,
“AT&T thanks you for your business, we value you as a customer…
Thanks, AT&T.
You are apparently a hacker’s best friend.