Here's why TracFone recommends some customers change their PINs immediately

On November 23rd, Verizon closed on its purchase of TracFone, and customers of prepaid wireless firms such as Straight Talk, Total Wireless, and Tracfone became prepaid customers of Verizon. Many were already using services provided by the nation's largest carrier which provided wireless service to TracFone customers making the latter a mobile virtual network operator (MVNO).

MVNO's buy wireless service from carriers who own their own towers and spectrum, but sell some of it wholesale to companies like TracFone who sell wireless service at a slightly discounted price to price-conscious customers.

According to the Wall Street Journal, around the holidays, Straight Talk customers started to complain that their mobile numbers were being disconnected and after investigating, the company has put up a notice on its website. "We were recently made aware of bad actors gaining access to a limited number of customer accounts and, in some cases, fraudulently transferring, or porting out, mobile telephone numbers to other carriers," TrackFone wrote.

The message added, "These bad actors may have had access to your name, address, PIN code, account number, secret question (but not answer) and email address to the extent you provided us with such information." TracFone told its customers that if they were contacted via text or email, they should change the PIN on their accounts immediately taking care not to reuse a previously used PIN.

TracFone also said, "If you experience a sudden loss of service, or are having difficulty with a number transfer, please contact customer service at 1-800-353-1842. If you suspect unauthorized activity regarding your wireless service, and use your mobile number as a form of authentication on other accounts (e.g., financial accounts, social media accounts), consider changing passwords to these accounts immediately."

Some customers found that their number and service had been transferred to T-Mobile's Metro unit without permission. T-Mobile investigated and found "no fraud or data breach of any sort," and added that unauthorized transfers "are unfortunately an industry-wide issue."

To combat this sort of thing, Verizon will now send TracFone customers a notification via text when it receives a request to transfer an account. This could help stop the fraudulent activities, Verizon said. The carrier also noted that the attacks are limited to 6,000 TracFone customers, a small portion of Verizon's approximately 24 million prepaid customers.

A Verizon spokesman said, "We have no reason to think that this was caused by anybody on the inside." Verizon's finance chief, Matt Ellis, stated "You’ve got the bad actors out there constantly trying to find points of weakness. We’ve addressed that weakness."

It seems that the attackers were also looking for TracFone numbers connected to cryptocurrency accounts. Once the hackers had control of a mobile phone account, they can use it to not only break into the victims' bank accounts but also to take control of any cryptocurrency account that might fall into their hands.

In 2020, Princeton University conducted a study of five prepaid carriers including Verizon and TracFone, and found that all five of them "used insecure authentication challenges that could be easily subverted by attackers." Allison Nixon, chief research officer at information-security company Unit 221B, says that it isn't clear who is behind the TracFone attack, but the pattern of the attack indicates that it was done by a small group consisting of phone number thieves who know exactly what they are doing.

Talking about these attackers and how they have a plan in place to take control of mobile phone accounts, Nixon says, "We’re at the stage where we’ve bred superbugs at this point. I’m watching them become more mature and there are new people coming into this community and learning their ways."

One typical story was told by victim Enid Hagerty, an information-technology project manager in Michigan. Hagerty noticed that On Christmas Eve that her PIN-protected Total Wireless account was no longer under her control and had to email her clients to tell them not to trust her phone number and calls coming from that number until she could get the problem under control.

She eventually regained control of her account, but now uses a different wireless provider. She stated "My blood pressure was in my eyeballs. I was so furious I wasn’t getting the answers. That was my lifeline to everything for 20 years."