SIM swap horror story: I’ve lost decades of data and Google won’t lift a finger
At 11:30 pm on Monday, 10 June, my oldest daughter shook my shoulder to wake me up from a deep sleep. She said that it appeared my Twitter account had been hacked. It turns out that things were much worse than that.
After rolling out of bed, I picked up my Apple iPhone XS and saw a text message that read, “T-Mobile alert: The SIM card for xxx-xxx-xxxx has been changed. If this change is not authorized, call 611.” Well, seeing as how T-Mobile took away my cell service, I could not call 611 for help so that is a worthless message. Thankfully, at the time I still had a Google Fi SIM in a Pixel 3 XL so I called T-Mobile and told them my physical SIM is still in my iPhone and I did NOT authorize any change to my account.
I was able to get T-Mobile to assign my phone number and service back to my phone by giving them the SIM card ID number and then having them send a text to one of the other four phone numbers in my account where I then read back the verification code. I asked why they would allow someone to call up and take my SIM without my approval. The representative said they can’t discriminate or tell who is who over the phone and as long as some key information was given then a swap could be authorized. All seemed fine with T-Mobile at that time, but I still had to go find out what was up with Twitter and later Google.
I started using Twitter in 2006 to coordinate meetings with other mobile tech writers and as of last week I had nearly 10,000 followers with Twitter verification. My Twitter user ID is number 2,821 and I posted about 30,000 Tweets over the last 13 years. As of right now, that has all been stripped away from me.
Since my Twitter meant quite a bit to me, primarily for my mobile tech writing and the friendships I’ve developed through Twitter over the years, I made sure to have two-factor authentication (2FA) enabled with this service. It turns out that the 2FA with text messaging sent to a cell phone may be useless when hackers steal your SIM right out from under you.
Also: Two-factor authentication: A cheat sheet TechRepublic
Twitter has a form for you to fill out if your account has been stolen, but it requires your email address assigned to that Twitter account to work. Even when I regained my cell phone, sending a code to that number still won’t let me get access to Twitter. I’m stuck in a circle of hell with Twitter and Google right now and Twitter support won’t work with me via any other means to resolve the situation.
While Twitter is a free service, I would still expect some level of assistance for someone who has had the same account for 13 years and can get thousands of people to verify my identity. If I cannot get my Twitter account back, stay tuned for a new account that I will have to rebuild from scratch.
Since Twitter wasn’t going to work with me until I had my Google account back, I went in to try to reset my Google services password. It turns out that the hacker was a few hours ahead of me and had already changed most of the verification fields I had set up to reset my password. If you have a Google account then I recommend you go into your settings and establish the following in case you need to reset your password on a stolen account:
- Google Authenticator
- Cell phone number for text code
- 8-digit backup code
- Other phone number associated with your account
- Email for recovery
- Month and year when you started using Gmail
I had some of this information, but the hacker changed everything in the list above except for one email address that was still controlled by me. I used this email to fill out the form for Google every day over the past week, adding in lots of other details about the situation, but have not yet been able to get Google to move forward with recovering my account.
A couple of days ago, a message appeared on my Pixel 3 XL that my Google Fi SIM card had been deactivated. I’ve been using Google Fi for a few years and lately have been enjoying a $200 service credit after buying my wife’s Google Pixel 3. There is actually a number for Google Fi representatives, but repeated calls to them reveal nothing can be done without access to my Gmail account. My longtime Google Fi number and service credit may now be gone forever.
Also: How to use Google’s Project Fi cellular service with any smartphone TechRepublic
Maybe I’ve been naive, but I had backed up a ton of personal information on Google Drive. This included tax returns, account passwords for my wife in case I died, personal documents and spreadsheets, and just about everything I had paper copies of at home. Since I change computers, share data with others, and wanted backups in case my house burned down, I trusted cloud services to store my data. I have to admit I am a bit freaked out at the moment and may be moving this data to external hard drives and paper once again.
We pay for Google Drive, Google Fi, and Google Play Movies so I was hoping there would be some level of customer service for paying customers. There are no phone numbers available for customers who pay for services or those who only use free services. Google prides itself on collecting my information and using it to help with search results. Thus, it has all sorts of information on how I conduct my daily life, including tracking my every movement, tracking my business trips, seeing who I contact daily, and much more. You would think it would be smart enough to see when some stranger appears and completely changes my account information.
According to Gmail, my Google account has now been deleted so I’m no longer trying to just reset the password, but instead I am trying to recover my account. I have countless PR folks, friends, family, and others who are in my long Gmail history and am currently unable to access any of that information. I also have thousands of photos that may be lost forever if Google won’t work with me to get my account back.
If anyone has any information on how I can get Google to honestly verify my identification and recover my deleted account, I would greatly appreciate you leaving a comment below.
$25,000 for Bitcoin
Given that I had 2FA enabled for my bank account and the bank account info on Google Drive, it was just a matter of time before the thief started stealing my money. While my wife was concerned about my lost Twitter and Google account, it wasn’t until the criminal used my bank account to purchase $25,000 in Bitcoin that she went ballistic.
My bank initially took the money out of my accounts so we called and told them it was fraud. We were told the bank would investigate, but our accounts could be locked for up to 45 days. Thus, we immediately had everyone in the family run down to the ATM to get the maximum amount of cash out so that bills could be paid. We also had to call all of the new graduates we gave checks to for gifts to not cash them yet. It was an extremely stressful week and the adventure isn’t over yet.
After a couple of days, our bank reversed the $25,000 charge and told us that the fraud department caught the ACH withdrawal before it was fully processed so that neither my family nor the bank lost this money forever. My first instinct was to then change my bank account numbers, but then I realized that every person and company I wrote a check to over the past couple of decades has this same information so I am trusting the bank to protect my assets.
T-Mobile woes and success
My T-Mobile SIM was first stolen on Monday, 10 June, and then I was able to get the company to give it back to me that evening. I headed out on a business trip, actually the Garmin Fitness Retreat, in Whitefish, Montana, on Tuesday, 11 June. While I enjoyed dinner with the group on Tuesday evening after I arrived in Montana, I was stressed out the next morning as so much was unknown about my Google account. Thankfully, the kind Garmin representative was sympathetic to my plight and took me to the town so I could obtain a T-Mobile connection and try to lock down everything.
I arrived in the middle of Whitefish, but for some reason I still had no T-Mobile cellular service. I toggled airplane mode on and off, without success. This was also when I discovered that the hacker had shut off my Google Fi service so I had no ability to call T-Mobile to find out what was going on. I found a local Safeway store with free Wi-Fi and then contacted my wife via Facebook Messenger. Through all of these hacks, it was interesting to find that Facebook was the one reliable and secure service under my control.
While connected to my wife via Facebook Messenger, she contacted T-Mobile on my daughter’s cell phone while at home. T-Mobile then confirmed that it had once again taken away my SIM and gave it to someone else. I became enraged while hearing this and told them that my same SIM was still in my iPhone XS and that I wanted T-Mobile to stop giving it away and leave it associated with the physical SIM in my phone. I was told that this request was not possible, but that notes could be added to my account. While I had a PIN associated with my SIM, I still do not know how the thief was able to get past this the first time, I changed this PIN on the call.
Thankfully, I have a good friend at T-Mobile who was very concerned with my plight and was able to get someone to contact me to indeed enable a requirement that my SIM could not be changed unless someone went into the store with at least one means of physical identification. Since that requirement was attached to my account, my T-Mobile service has remained under my control.
Unfortunately, my Google account was tied to a number of services, including Google Chrome and I had saved hundreds of account passwords in Chrome that the criminal now had possession of. The first evening I immediately changed the email and password for all accounts related to financial data. Over the next several days I went through and changed every other account I could think of.
A handy tip that has served me well, related to my role as a mobile tech reviewer, was to start one of my review phones and leave it in airplane mode. I then went into Chrome on the phone to view all of the sites where I had accounts and passwords saved. The thief could potentially hijack all of these so I have been meticulously going through them over the past week.
Unfortunately, some services and websites will not allow me to change my password or email associated with the service without having access to my Gmail account that I used to sign up for these services. Thus, I currently have no access to services like Redbox and Movies Anywhere, in addition to Twitter and Google, obviously.
Recommendations for your security
In addition to contacting T-Mobile, Google (useless), and Twitter (useless), I took and recommend you take the following actions:
- File a police report with your local authorities
- Turn on a credit freeze and fraud alert with the three credit reporting bureaus
- Fill out a report with the Federal Trade Commission
- Make sure your financial institutions know of the possible identity theft
- Change the email and passwords for all accounts that may be connected with the stolen account
- Consider using an email and password for logging into accounts rather than simply relying on Facebook, Google, or Twitter as your global login for services. If one service gets stolen, you could bring everything down like I did.
- Consider using password manager software or letting your device, like an iPhone, help you create extremely long and complicated passwords. I’m exploring some of these tools now to increase the level of security on all of my accounts.
- Close out old accounts that you never use. Going through my saved Chrome data I found many accounts and services I no longer use, but they are still all subject to damage by the hacker.
- While two-factor authentication is a minimal standard, look for options beyond having a text message sent for verification. If you get your SIM stolen like I did, 2FA is worthless.
Also see: How to protect yourself against a SIM swap attack via WIRED
I’ve been considering changing my bank account number, social security number, and other accounts that are critical to living and working in the US. I am also freaked out about using cloud services so my strategy at the moment is to only use OneDrive for photo backup while writing my passwords down on paper and leaving everything else off the cloud.
If anyone has tips on how I might get my Google and Twitter accounts back, I would greatly appreciate the feedback. Also, if you have other tips for what to do before and after a security breach, I would love to hear more in the comments.