CYBER criminals are using a simple trick to steal people’s mobile phone numbers, move them to a different carrier and use the stolen number to gain access to the victim’s other personal information, including their bank and MyGov accounts.
It’s a surprisingly easy thing to accomplish and can wreak havoc for those who unwittingly become a target. In most instances, fraudsters simply need an account number for your mobile provider and your date of birth.
Given that most important accounts rely on two-factor authentication, which involves receiving a text message code to log into the account, pinching someone’s mobile phone number can give criminals serious access to your digital life.
On late Friday afternoon, before the Queen’s birthday long weekend this month, Sydney woman Deborah Brodie, 37, received a text message form Optus confirming her number will be ported to Vodafone. She did not request to change providers but just six minutes later she had another text confirming it had been successful. Shortly after her phone switched to SOS mode.
Ms Brodie ended up having her iTunes account hacked as well as her bank account and someone used her credit card to go on a spending spree.
“It was really violating, it leaves you feeling really exposed,” Ms Brodie told news.com.au. “It was done in such a calculated manner.”
She believes the timing on the eve of the long weekend gave the hackers the maximum time to run amok before she could deal with Optus’ fraud team.
Despite being with the company for nearly two decades, the telco didn’t seek personal verification from Ms Brodie and seemingly had very little prevention in place to stop the illegal porting.
Ms Brodie runs a company called Bop Along Buddies, which provides inflatable animal-shaped bouncers to help children with disabilities develop their co-ordination, and says having her mobile number stolen was a huge headache for her business.
“For five days my customer and clients didn’t have access to me.” Given the nature of her work, it was a feeling that left her “physically ill”, she said.
For now, she has the same number back (although is worried about keeping it) and the matter is still pending investigation.
“This is a new scam that’s happening more and more,” Ms Brodie said. “Is it the phone companies that have to better? I think it is.”
Last week, Australian journalist Tracey Holmes chronicled her own ordeal trying to get her mobile number back after it was illegally ported and someone attempted to ransack her online world.
She had to change all her passwords to her online accounts and took an entire day off work to visit the Telstra store and her bank to resolve the matter. Like so many others, she waited five days to receive a new number.
“It appears that because I recently moved house someone may have gone and got some old mail from my mailbox … They had access to my Telstra account number. From there they’ve gone on social media, they’ve worked out my date of birth,” she says in the video.
In her case, she believes that’s how hackers turned her world upside down for a day.
The video attracted plenty of attention and was filled with comments from Facebook users all reporting very similar stories.
“Happened to someone I know, the fraudster used it to hack banking SMS codes and racked up $20k debt. Took him weeks to get his number back,” wrote Facebook user Melissa Plant.
“Exact same thing happened to my mother,” said another user Stanley Grayson from Newcastle. “Worst part was when it happened to her, because they then had her phone number, all of her security checks were sent to SMS.”
Astonishingly, one poor person claimed it happened to her four times.
“This happened to me four times over a twelve month period. They never had my Telstra account number, only my phone number and date of birth — a guy at the Telstra store admitted that on the form to request transfer of your number to another provider, if you select pre-paid rather than post-paid, you don’t need the account number and nobody will check this,” said Sydney Facebook user Katie Fletcher.
News.com.au contacted Ms Fletcher but did not receive a response by time of publication.
However Telstra said its porting processes are identical for pre-paid and post-paid services and comply with industry regulation on mobile porting. The telco also admitted social media has made it easier for scammers to game the system.
“We recognise the threat level is changing given the increased availability of individual’s personal information (eg, date of birth) on social media and other open platforms. In order to meet this challenge, we are working to strengthen our identification and verification procedures even further,” Telstra media spokesperson Steve Carey said in a statement to news.com.au.
Due to an increase in cases, the telco is considering trialling additional measures later this year to prevent the unauthorised port-out of mobile numbers.
Optus, on the other hand, was quite reluctant to speak on the issue.
After repeated attempts by news.com.au to obtain comment, Optus simply said: “To request a SIM swap, an existing Optus customer must complete an identity check which may include name, address, service number and date of birth.”
Judging by online discussions, fraudulent porting of mobile numbers is a tactic that’s been going on for some time, so it’s no surprise that mobile service providers such as Telstra are keen to act to minimise further cases.
In a Whirlpool post from March 2016, a user described a friend who was a FIFO worker and after emerging from a mine and turning his phone on, he was unable to text, call, or use the internet.
“He contacted Vodafone and they informed him his number had been ported to the Telstra network. He naturally expressed his disbelief to Vodafone. His bank account has been accessed, however Commonwealth Bank smelt a rat and quickly took the appropriate action, unlike Vodafone or Telstra,” the user recounted.
Has this happened to you?
Smartphone hacking demo with Nadav from Check Point Software Technologies