Jeff Drobman knew something was wrong when Bank of America alerts popped up on his phone.
“I started to get notifications that someone tried to log into my account, that my password had been changed,” he said.
The Chatsworth man tried to call the bank, but he had no signal.
“Why’s my phone not working? What happened? I don’t know,” he said.
Get top local stories in San Diego delivered to you every morning. Sign up for NBC San Diego's News Headlines newsletter.
When Drobman got to a phone to call Bank of America, a chunk of money was gone from his account.
“They go, ‘They’ve already withdrawn $21,000 from your account.’ Are you kidding me? That’s half of my bank account,” he said.
Here’s what likely happened: It’s called SIM swapping. A crook got a hold of Drobman’s personal information, like his name, address and cell number, and convinced Drobman’s cellphone company, Spectrum, to transfer his cellphone number to a new phone. The crook then had access to Drobman’s text messages and used text message two-factor authentication to get into Drobman’s bank account and steal his money.
“So the text message went not to my phone, but their phone. So by hijacking my phone, they intercept my text back codes,” he said.
According to the FBI’s most recent data, victims lost more than $68 million to this scam in 2021, five times more than in years past.
Cybersecurity expert Stan Stahl is trying to bring those numbers down. He founded Secure the Village, a nonprofit dedicated to educating people about cybersecurity.
He says what happened to Drobman can happen to you.
“Jeff was not specifically targeted because he was Jeff. He may have been specifically targeted because they ran across his information. But that could happen to any of us,” said Stahl.
Stahl largely blames Spectrum for its lack of security. He says they made it too easy for crooks to steal Drobman’s cellphone number.
“So Spectrum wants to make it as easy as possible for people to go buy a new phone. But in thinking about that, Spectrum, and every company like them, has to think about the risk side of the equation,” he said.
Stahl said all wireless companies should require customers to have a personal identification number (PIN) that they must use to make any account changes.
A trade group for wireless providers agrees.
Spectrum told the I-Team it recently started requiring PINs for number transfers, but it wouldn’t comment on how crooks bypassed this to steal Drobman’s number.
“Our mobile carriers have to be called on the carpet for that, they’ve got to fix that. They can’t just transfer phone numbers because somebody asked you to,” said Drobman.
On the banking side of this scam, Stahl said text codes for two-factor authentication aren’t safe either. He said banks should instead use face recognition or an authentication app.
But the banking industry defends text back codes. Bank of America pointed us to a banking trade group for comment. The American Bankers Association said the industry invests billions of dollars in cybersecurity, and text back codes provide a significant defense against account takeover.
Drobman doesn’t buy it.
“I want to get the word out that text back codes are not safe,” he said.
After the I-Team reached out to Bank of America about Drobman’s case, it put $21,000 -- the amount stolen from him -- back into his account. In a statement, it said it takes identity theft seriously.
Drobman believes he’s now as secure as he can be. But he’s disappointed that these two companies both failed to keep his money and identity safe.
Tips to keep your money safe:
- Create a PIN with your wireless carrier.
- If your bank allows it, use facial recognition, instead of two-factor authentication, to make account changes.
- If you unexpectedly lose your cellphone signal, contact your carrier right away to make sure your number hasn’t been hacked.