Macleans magazine’s cover story in November 2005 announced that then-Privacy Commissioner of Canada Jennifer Stoddart’s cellphone records had been obtained by them.

Now the FTC’s Chief Technologist, Lorrie Cranor, has had a similar experience -- someone impersonated her and was able to highjack her cellphone number and acquire two top-of-the-line iPhones. 

I was interested in learning where the theft had occurred and how much of my personal information was in the hands of the thief. Section 609(e) of the Fair Credit Reporting Act requires that companies provide business records related to identity theft to victims within 30 days of receiving a written request. So, following the template provided by Identitytheft.gov, I wrote a letter to my carrier requesting all records related to the fraudulent upgrades on my account. After about two months my carrier sent me the records. I learned that the thief had used a fake ID with my name and her photo. She had acquired the iPhones at a retail story in Ohio, hundreds of miles from where I live, and charged them to my account on an installment plan. It appears she did not actually make use of either phone, suggesting her intention was to sell them for a quick profit. As far as I’m aware the thief has not been caught and could be targeting others with this crime.

I’ve said it before – blaming the user for failing to protect themselves adequately doesn’t work, and in fact perpetuates the problem.  Writing about her experience, Cranor is clear that “mobile carriers and third-party retailers need to be vigilant in their authentication practices to avoid putting their customers at risk of major financial loss and having email, social network, and other accounts compromised.”