Attackers have commandeered thousands of TracFone customers’ phone numbers in recent weeks, forcing new owner Verizon Communications Inc. VZ -3.55% to improve safeguards less than two months after it took over the prepaid wireless provider.
TracFone offers prepaid wireless service under several brands, including Straight Talk, Total Wireless and its namesake brand. Some customers of Straight Talk said they found their phone lines suddenly disconnected around the December holidays.
“We were recently made aware of bad actors gaining access to a limited number of customer accounts and, in some cases, fraudulently transferring, or porting out, mobile telephone numbers to other carriers,” TracFone said in a notice posted on its website this month.
In some cases, customers said they discovered their lines had been moved without their permission to Metro, a unit of T-Mobile US Inc. A T-Mobile spokeswoman said the company investigated and found “no fraud or data breach of any sort” on its side. The company added that such unauthorized transfers “are unfortunately an industrywide issue.”
Verizon, which acquired TracFone in late November in a $6.25 billion deal, said it had added security protections to the recently acquired services to prevent such fraudulent transfers. For instance, the prepaid operators will now send customers a text message notification when a transfer request is made.
A Verizon spokeswoman said the attack appeared to affect about 6,000 TracFone customers, a fraction of Verizon’s roughly 24 million prepaid lines. “We have no reason to think that this was caused by anybody on the inside,” the spokeswoman said.
“You’ve got the bad actors out there constantly trying to find points of weakness,” Matt Ellis, Verizon’s finance chief, said Tuesday in an interview. “We’ve addressed that weakness.”
The fix came too late for Enid Hagerty, an information-technology project manager in Michigan who noticed on Christmas Eve that her PIN-protected Total Wireless account was no longer under her control. The independent contractor had to tell clients in an email not to rely on the phone number until the problem could be worked out.
“My blood pressure was in my eyeballs. I was so furious I wasn’t getting the answers,” she said. “That was my lifeline to everything for 20 years.”
She said she later regained control of the number but is using a different service provider.
Other customers of various TracFone brands said unknown attackers appeared to use their commandeered phone numbers to target cryptocurrency accounts.
Control of a mobile phone line can be an attractive entry point for scammers looking to break into a victim’s bank account. Cryptocurrency wallets secured with mobile-phone authentication are another common target.
A 2020 Princeton University study of identity-verification measures among five prepaid cellphone carriers—including Verizon and TracFone—found all of the providers “used insecure authentication challenges that could be easily subverted by attackers.”
The Federal Communications Commission last year began accepting public comments to help shape rules aimed at preventing malicious takeovers of cellphone numbers through SIM swapping and port-out fraud.
It isn’t yet clear who is responsible for the TracFone attack, said Allison Nixon, chief research officer at information-security company Unit 221B. But she said that the stories from victims targeted in the attack fit a pattern that is often caused by the work of a small group of well-practiced phone-number thieves.
“We’re at the stage where we’ve bred superbugs at this point,” she said. “I’m watching them become more mature and there are new people coming into this community and learning their ways.”
Write to Drew FitzGerald at andrew.fitzgerald@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
