Several years ago, the idea of hacking a cell phone was considered such a non-possibility that “60 Minutes” even did a piece on the topic. But as cell phones have become hand-sized computers, smart thieves have figured out how to hack them.
This has become a huge problem not only for all of us, including employers that are struggling to keep their enterprises safe as more employees deploy their digital identities across a broader range of devices.
Let me tell you a story about what happened to me and what you can do if (when?) it happens to you.
My Case in Point
A few weeks ago, I had a power spike that caused my home’s Internet and TV to go out. My provider replaced our fiber-to-ethernet converter. But I had a continuing issue with one of my ethernet routers.
So I needed to reach out again to my provider, Sonic. Using Google on the phone for customer service, I initially ended up talking to the fast-food restaurant with the same name. I added Internet to create a long-tail search. In the box from Google, my provider’s customer service number appeared with no URL. I called the process and it sounded identical to Sonic.
It was only later I learned that I was not talking to Sonic. I was talking to a clever thief. He expertly acted out the role of a helpful call center support rep as he began “troubleshooting” the problem. Even so, the more he talked, the more suspicious I got. I hung up the minute he wanted to view my accounts to verify my identity. And I was left with a sinking feeling in my stomach. What did the thief get?
I moved quickly. I reached out to security experts that I know in the #CIOChat. One, who is a CISO at a major company, had me walk through what happened. He asked me one very important question?
Did I see a power drain on my cell phone or need to attach to power?
He said this occurred because the thief was downloading everything on my phone, including the passwords to my apps. Before we talked, I had already deleted the application and put the phone in airplane mode. But that turned out to be just the start of what I needed to do.
Let me walk you through what the CISO told me and what I’ve learned from talking with the Apple.
The Roadmap Forward
The first thing to do is to turn your phone on airplane mode. (Hey, I got that right!) Then delete any application that the thief had you install and delete everything in your cell phone’s wallet. (That, too!)
After that, get the earliest possible appointment with your wireless provider. (During COVID-19, AT&T is accepting only limited numbers of people in their stores.) Get the support person at the store to do a factory reset of your phone, so the theft cannot do additional damage. I chose to get a new cellphone because it is possible that the thief laid down an app that could survive the factory reinstall process.
With this completed, turn your attention to your credit cards. Cancel all credit cards in the wallet or connected to your Apple or Google ID. Then, change the passwords for all accounts on the phone. I realized, at this point, that the anatomy of my passwords needed to change radically because the thief had a large amount of information about me and my family.
It is critical to change your Apple ID and Google ID as quickly as possible. I did both. Next, inspect your phone in airplane mode and write down your financial accounts, your other apps with passwords, your work apps, and your potentially exposed information.
At this point, file a security incident with your company. It is essential to know what corporate accounts are potentially exposed. And do this as soon as possible. I was told by the CISO this is so you can protect yourself, especially if the thieves’ real goal was to hack into your company. I later learned that these steps met with the approval of my company’s security department.
At this point, I called Apple Support. They were extremely helpful. They instructed me how to change my Apple ID on my PC. They also told me that doing a factory restore is not enough. Instead, you will restore apps using purchase history one by one. This means that only known “good apps” are restored onto the new phone. This takes more time. But you have the peace of mind that you have a clean, safe phone.
The critical words to look for is “no transfer on information.” Given this, make an appointment with your cell phone provider. Have the customer service person reset to factory install on the old phone. However for me, this meant, potentially re-exposing my Apple ID password even though we were only on WIFI. To be safe I changed my password again. With this complete, it was now on to my computer.
Change your computer login and other apps that may have been compromised on your phone. It was at this point, I noticed an attempt to make purchases on my Amazon account. Wherever possible, do not change only your password but also move to two-factor identification.
Honestly, the thief failed to make purchases because my phone encrypted the three-digit code on the back of my credit cards. With these steps completed, you can now restore your phone apps. Make sure along the way to use a different password basis between personal and work accounts. With this complete, you are ready, using your company policy, to reconnect company apps, including token-producing apps.
A Long Twelve Hours
Honestly, it took 12 plus hours to fix everything. But since there was no guide for what to do, I thought I would help others think through what I had to learn. In our digitally connected world, very few of us have not been scammed at some point. If it hasn’t happened to you, trust me when I say that you will feel violated in some way. I will never forget some of the arrogance of the thief while I was on the phone with him. Especially, I remember when he said he can see everything.
Thieves are only going to get better. They are already hijacking the social presence of organizations. The fact that they managed to manipulate Google Ad Words to be at the top of search is nothing short of scary.
In this environment, they are only going to become more sophisticated. Maybe regulation and increased enforcement will help. In the meantime, we all have to become more vigilant and quick to respond when we are hacked.