Identity Theft - SIM Scam

It happened again. For the fourth time in the past six months, somebody contacted my mobile service provider claiming to be me, ordered a replacement SIM and ported my number to a new device.


Judging from a quick search online, I can see that I am not the only victim of this scam. All that is needed is a full name, mobile number and date of birth, and the fraudsters have all the verification needed to take charge of my mobile account. Once they have control, they can intercept any ‘two-factor’ authentication running via my phone (including internet banking) and take advantage of the info stored on my account (address, billing details).

The first thing that happens is that service appears to be down, so that you receive an ‘emergency calls only’ signal message. In some cases the scammers even send a text message prior to porting the number with a false indication that ‘service will be intermittent for the next 24 hours’ (this buys them time to conduct the scam). Once you work all this out, they have normally gone to work on stealing your details.

The fallout is everything connected to your mobile needs to be changed, and you may need to chase down any stolen money or expenses. It can be a frustrating and time-consuming mess.

After the first time this happened, I was keen to make sure it didn’t occur again and added a PIN to my account, an additional security measure. I’m certain that no one else can obtain this number, so it was to my surprise when the same problem occurred THREE more times. Obviously something was going on, so I tried to ‘hack’ my own account online. As you can see from the below screen grab, it was all too easy to replicate the scam as the staff never ask for my PIN.

*click to enlarge

I’ve raised the issue with my telco before, and each time the failure to ask for my PIN has been blamed on staff training. Whatever the case, I think it’s too simple to hack a mobile account for the purpose of porting a number to a different device, especially when two-factor mobile authentication has become a fairly standard security protocol.

But I’d like to know what you think. So, am I an easy target or should my mobile provider be doing better?

9 Likes

Sorry to hear you are having repeated problems with the same telco.

It appears that scammers may be targeting them as they know that they will have success with that particular telco.

If this happened to me, I would be changing telco…including breaking any contract with them. I am sure thay you would have sufficient grounds to break a contract without penalty as they will be in breach of their own t&cs

7 Likes

Which Telco is this through? I’d like to avoid them.

3 Likes

It’s Optus @NubglummerySnr, but as far as we know the same issue affects a number of providers (such as Telstra and some smaller operators). It raises some questions about a pretty serious back door for scammers for me.

8 Likes

Sorry to hear that!

Wherever possible: I try and avoid disclosing my date of birth online. If a hacker breaches a third party service with my details, I want to minimise the chance they’ll find this out use this somewhere else. Not sure if that helps…

Edit: I never told Facebook my DOB but they’ve worked it out. Darn!

3 Likes

In this era of google know everything and an incoming proliferation of companies that provide fairly complete reports on anyone for a fee, no questions asked beyond credit card details, personal privacy and identity security are increasingly going “south”.

Search on an American’s name, look at the free data that includes history of residences, age, relatives, and more, then for a fee - everything; it will be an intro into what we will face.

2 Likes

Just going off-topic for a moment - try duckduckgo as a search engine - they don’t save your data.

6 Likes

I have just acquired a Telstra version of the HTC-A9 which has a PIN and fingerprint access protocols. I wonder now if is is secure

1 Like

Also Startpage (https://www.startpage.com/au/ for Australian linked searches or the parent https://www.startpage.com or their US page https://www.ixquick.com/ or the European part https://eu.startpage.com/ which doesn’t use any US based servers, are all non retention search providers.

2 Likes

To my understanding @johnn31, the fingerprint protocols should help add security to that particular device. However, the scam basically diverts your number to an entirely new device (could even be to a device in another country), so it’s more of a bypass issue. We’re all pretty much in the same boat for this one, but keeping control of your personal details (name, birthday, mobile number - the type of things you might be tempted to enter on an unknown internet survey) will likely help :wink:

I’m sure there are other tips too.

2 Likes

Yeah, fingerprint technology will stop people from accessing the data on your phone, but it won’t prevent your digital identity from being stolen. Long after someone’s nicked your phone number, your phone will still happily prevent people from accessing it via your thumbprint. Meanwhile the criminal who’s stolen your sim details is happily using it on a different phone that knows nothing of your thumb prints and doesn’t care if you have one or not on your own phone.

2 Likes

Article from news.com.au
There is a new type of identity theft on the rise that most people probably don’t realise exists: Porting scams.

This is where a scammer gets your mobile number ported to another SIM without authorisation and uses that to access your accounts through two factor authentication. Most carriers have very little security steps to prevent this, so make sure you check what yours has!

3 Likes