I’d been away from my desk and phone for about an hour. When I came back, emails told me that I had purchased a phone in Massachusetts and switched my number to it. I live in California. Also, my bank said one of my credit cards had been added to my Apple Pay. I reached for my phone to call AT&T, but I had no service.

So began my attempts to recover from and figure out what happened in the theft of my identity.

What the Thief Did

Last Tuesday, a man my age walked into the Worcester Plaza AT&T store in Worcester, Mass. He proceeded to buy a Samsung Galaxy A71 5G in my name, which he financed on my AT&T account. $599 financed, 30 payments of $20, $37.50 tax. He paid the tax in cash.

He produced a California driver’s license with my name and his picture on it. The magnetic strip on the back of the license was scanned successfully. He also told them the last four digits of my Social Security number.

He then asked to have my phone number transferred to his iPhone. The phone number was transferred to a new SIM. No charge. He left the store.

A little later, he added one of my credit cards to Apple Pay on his iPhone, the one with my number. He then tried to buy some gas with it, but the payment was declined. He tried to buy an expensive iPhone, and that purchase was also declined by my bank, Bank of America.

Two days later, he tried again to switch my phone number. A little later, he tried to access my AT&T account. But I’m getting ahead of myself…

How He Did It

Realizing that I had my identity stolen initiated a two-day flurry of activity. During that time, I accessed haveibeenpwned.com and entered my email address. My personal information has been included in 14 data breaches so far. Starting there, this is what I figure happened.

The thief, or his organization, probably accessed some of my breached data on the dark web, which is basically just a bunch of URLs you can’t usually Google. Anybody who’s spent time there knows credit card information is easy and cheap to get. Driver’s license numbers and Social Security numbers may also be included, along with residence address, phone, and more.

Armed with this information, my thief made himself (or somebody made for him) a fake California driver’s license. That sounds hard; look at that fancy hologram and all the other stuff. But is it truly difficult?

No. Google “fake ID,” and scroll through the pages of ads. Some claim they’re “novelty IDs,” but look at what even the “novelties” offer: scannable, holograms, passes blacklight test, upload your photo, and more. Serious fake ID’s are being made, too. Customs at O’Hare Airport in Chicago has caught nearly 20 thousand of them this year, mostly, they say, from Hong Kong and China.

You can get your magnetic strip writer at Staples, or any other number of legitimate vendors. You can order them on the internet. They’re used for lots of legitimate things, like company IDs.

Fake IDs fall into two large categories: “show-to-an-officer” and “flash only.” If you’re a college student trying to get into a club, you flash your ID at the bouncer. In this case, the ID probably didn’t have to be perfect. A store clerk in suburban Massachusetts may not see that many California driver’s licenses. If it scans and the photo is good, you’re probably OK with minor effort on the appearance.

Once you’ve got the ID, and the last four digits of my social, you’re golden.

For AT&T, the driver’s license and the four digits of my SSN were enough to buy a new phone, charge it to my account and get my phone number switched to their SIM.

I was lucky that I had another phone, through Microsoft Teams. It’s hard to get help when you see “No Service.”

Why Apple Pay?

The first people I called was Bank of America. I explained the situation and they disabled my credit card. It did take me four calls to achieve this. Calling the usual customer service number resulted in an identity check I could not pass. They needed to text an authentication number to my phone with no service. It didn’t work. The thief probably got it. Fortunately, the phone number on the warning text the Bank had sent me went directly to the fraud department, and they helped me. I should have tried that first.

They also removed my card from Apple Pay. One of the big steps forward in credit card safety has been adding a chip to the card. These chips are, apparently, harder to fake than magnetic strips. Apple Pay doesn’t use a chip, however, just near field communication (NFC) to talk to the credit card scanner. Getting a card approved it easy, once you have the right phone and the right number. You just fill in the credit card information, then somebody sends a confirmation number to your phone, which you add to the other information. Then you’re in. No chip needed.

It can be noted that this procedure is a lot like common two-factor authentication. It’s one of the reasons people are moving to hardware-based authenticators.

What I Did to Protect Myself

Although I stopped the credit card and got my charges removed from my AT&T bill, some crook out there still has a pretty good fake ID with my information on it, and my SSN. What is to be done?

I called Apple, reported the incident, and changed my Apple ID, and it now requires two-factor authentication. I changed my passcode at AT&T, and my AT&T login now requires my username, password, and an additional passcode. I replaced my credit card. If you ask, you can get it delivered with expedited shipping.

I called the California Department of Motor Vehicles and reported the incident. I called TransUnion and placed a fraud alert. The major credit bureaus have an arrangement that if you place a fraud alert with one of them, it will be activated for all of them. The fraud alert means that for the next year nobody can access my credit reports without my permission. Without credit reports, a lot of things won’t usually happen, such as getting a new credit card or a loan, except, of course, for getting a phone on credit.

Why Am I Still Nervous?

That wasn’t my only credit card. There are lots of places where you can set things up with all your personal identifying information.

In response, you can change your Social Security number, but it’s not all that easy. In my case, a victim of identity theft must continue “to be disadvantaged by using the original number” and I would have to “provide current, credible, third-party evidence documenting the reasons for needing a new number.” So far, there’s just the one incident.

I don’t want to change my phone number, which I’ve had for years, because I have no idea how many people have it. It’s not a small group.

There Ought to Be a Law!

I think that’s all I can do, but it doesn’t mean that’s all that could be done. AT&T, for example, could go farther than simply sending me a text when my SIM is about to be swapped. They could require that I approve it from the phone number in question. The idea that I must answer every text I receive, immediately, to guarantee that I’m not hacked is simply too Orwellian.

Apple has taken some steps to improve your security with Apple Card. Trust private enterprise to fix their security problems on one of their services by signing you up for something bigger.

The banks seem to be doing the best job. That’s because they have a real financial incentive to stop credit card fraud, because they pay for most of it. Maybe we should make the others pay for most of it.

I’ve mentioned a few things you can do to respond to a hack like this, but the fact is that this type of theft, and many others, are now common and easy. Something is going to have to change.