The Houston Examiner reported the arrest of members of an identity theft ring that used the stolen identities of Sprint customers to order fraudulent replacement smart phones, which they resold:
"Customers are routinely asked for their secret PIN numbers when they walk into Sprint stores, and federal agents say employees of the store were giving that information to thieves who were using it to get replacement phones that could be sold online."
What I found interesting about this case were the three points where data security failed. Better security at any one of these points could have stopped this theft ring before it started.
First, insider identity theft by employee facilitated the thefts. Using the stolen identities, the thieves ordered replacement smart phones from the insurance company, Asurion, used by Sprint mobile customers. A data breach like this highlights the need for a mobile service provider to implement a Red Flags program to identify and address problem data-security areas.
Second, the insurance company didn't seem to notice the rise in replacement phones within a specific geographic area:
"After filing the insurance claims, Secret Service agents say brand new phones were mailed out to hotels throughout the Houston area."
Most banks regularly flag purchases outside a consumer's normal credit card purchase patterns. Mobile service providers and mobile device insurers could and should do the same; especially where insurance claims include a different delivery address than the customers' home address. The new overage alert features by mobile service providers is a good first step in this direction, but it shouldn't require prodding by the FCC.
Third, several Houston area hotels seem to routinely accept and deliver packages to people who routinely made reservations but never checked in. This is like airlines accepting luggage for passengers who make reservations but never buy a ticket. Airlines have identified this security risk, and so too should hotels. Accept packages if you want, but deliver them only to customers have they have registered and checked in; or make it a perk only for loyalty program members.