Food writer Jack Monroe 'loses £5,000 in phone-number hijack' By Zoe Kleinman

Technology reporter, BBC News Published duration 14 October 2019

image copyright Mike English

Jack Monroe says she has lost about £5,000 after her phone number was hijacked and re-activated on another Sim card.

The criminals were then able to receive her two-factor authentication messages and access her bank and payment accounts.

The bestselling food writer tweeted she was "paranoid about security" and already had strong measures in place.

A privacy campaigner said the industry had failed to address "Simjacking".

Ms Monroe tweeted she was "white-hot angry" and had been told although she should get her phone number back soon, the money "will take longer to recover".

"The money stolen has run into thousands of pounds - I'm a self-employed freelancer and I have to absolutely hustle for every single pound I earn. And someone has just helped themselves to around five thousand of them," she tweeted.

Ms Monroe is a best-known for her low-cost recipes and her support for anti-poverty campaigns.

Simjacking, also known as Simswapping, is when criminals port a phone number over to a new Sim card, which they can then use as if it was their own.

They do this by posing as a customer who wishes to move to a different mobile provider but keep their existing phone number.

While mobile phone operators often request personal information to complete the request, this can be data already in the public domain - Ms Monroe's date of birth, for example, was on Wikipedia.

Sometimes individuals working for mobile operators or phone shops can be bribed into making the switch.

Often the first clue for the victim is when their own phone stops working.

Increasingly, banks and other services will use a text message to send a code as an extra layer of security to a registered phone number before allowing access to an account.

One critic of the industry's response to the crime is a privacy campaigner who used to work for the GSMA, the trade body that represents mobile operators.

Pat Walshe, now managing director of Privacy Matters, told BBC News the scale of the problem in the UK was currently unknown but there were cases of Simjacking from around the world.

"The industry has failed to address this problem for a number of years," he said.

"It's not trivial [to carry out a Simjack attack] but someone could do it easily enough."

Mr Walshe said victims should report the crime to their mobile provider, Action Fraud and the Information Commissioner's Office (ICO).

"I think Jack Monroe's case should now force the ICO to investigate whether mobile operators are meeting their obligations to safeguard services and data under telecom privacy rules, in addition to the [EU data protection law] GDPR," he said.

The GSMA has championed an alternative mobile identity authenticator called Mobile Connect.

BBC News has contacted the ICO, which deals with data protection issues.