Despite what many banks and websites might tell you, using your mobile phone number for 2-factor authentication (“Secure Codes”) exposes your bank accounts - it happened to me.
Mid-day one Saturday my phone couldn’t connect. I’m on Telstra and they’d been having a whole lot of issues that had taken out their entire landline, internet and mobile phone network in the region for 4 days, so I thought it was a sort of ‘after shock’ from that. I decided to register my issue so that I’d at least be able to get some rebate of my charges, only to be told that my number had been ported (transferred to someone else). Unfortunately, the process to report and resolve unauthorised transfer (theft) of mobile phone numbers requires the victim (me) to call the appropriate department in their mobile provider so that they can confirm to which carrier the number was ported; then to call that carrier to report the theft and have them put the account on hold and deal with my carrier to reverse the port. Unfortunately the “appropriate department” is only open during business hours on weekdays, so the thief had half of Saturday, all of Sunday and most of Monday morning to try to wreak havoc with my bank accounts. He managed to move ~$1,000 from one of my accounts (which I managed to reclaim) and had attempts at a couple of others (which were spotted as suspicious by the banks in question, who then put a block on my accounts). While I didn’t lose any money, it cost me several hours contacting banks etc., most of Monday morning on the phone to different mobile providers, and the hassle of not being able to withdraw money from my primary bank account or use my credit card until I rocked up at a branch (the closest of which happens to be 150kms from where I have recently moved to). Be warned - the process to steal someone’s mobile phone just requires you to know their mobile number, full name, address and date of birth, and I’ve learned is becoming increasingly widespread. I now use a dual-sim phone and have 2 mobile numbers, one of which I only use for ‘secure codes’.
I’d be interested in your thoughts on how they associated your accounts to your mobile number - ie what was the attack vector - if they subverted your handset then if you had a banking app installed that might be one way, or if they subverted your online banking and learned your mobile number that might cause them to target it - there are other possibilities, like subverting your personal computer or tablet/etc - but it seems obvious it wasn’t a random take of the mobile number and working back from there, they must have known the association. Do you know these details or care to take a stab at what the process was? It might help us understand additional levels of protection that can be applied.
Interesting story. If a little scary. But not surprising, sadly. Thanks for sharing.
Choice - please put this on your list for follow up!
No idea about the ‘vector’, though I suspect contents of my rubbish bin were taken. I have since bought a crosscut shredder as well as the second sim card! They accessed my bank account by calling the phone banking service then claimed to have forgotten the password. They had my name, address and date of birth and got the secure code sent to the mobile number they’d stolen from me. They then transferred as much money as they could without my account going overdrawn into an account with the same bank (which speeds that process). I believe that it’s technically illegal to take copies of driver licences (which contain all the info they needed apart from the mobile number), but that’s done every time I visit a Leagues Club or RSL, and every time I’ve ever taken out a mobile phone contract. I think it’s safe to assume that the details of everyone that has done either of those things can be bought for a small fee…
It is amazing how powerful a mobile number is which is then used to verify an account of some sort…as many organisations (e.g. banks, ISPs, social media, health funds etc etc) send verification codes to mobiles to authenticate the member/user.
If you have posted your mobile online or attached it to an email and it gets in the wrong hands, it is relatively easy for someone to unscrupulously start accessing all you accounts (one they have other bits of info which could be relatively easy to find…e.g. if one is a google/apple account holder). I recall seeing an article recently where a IT journalist was hacked and from recollection, it could be done once the hacker could obtain verification codes password to access one of the journos accounts. This account had a wide range of information that allowed the hacking to snowball on. It is possible that it was done the same way.
When verification still relies on human input (from both ends), there is security risks as either end can be the weakest link.
I also never give a mobile number for setting up accounts or for verification purposes.
Personally I believe mobile is by far the accessible option for such security. Most people have one and doesn’t really on programming eg apple and Android pay
I did complain that the account number was included in my code SMS one and bank fixed it.
To port your number
The attacker would need your account number
A phone bill
Your name address DOB
Your mobile number
To access your bank account
The attacker would need your account number
A statement or transactions
Your name address DOB
Your mobile number
Look if a criminal is to steal something they will, what happened to you was exceptionally elaborate and targeted. It in no way indicates the system is in secure. In fact without it there would have been significantly less effort to steal.
Now let’s say you don’t use mobile number what do you use?
Email? Quite easy to steal or reset an email password from overseas
Postal? Wait 3 days everytime to confirm your id? Still risk mail being stolen
Fingerprint? Easy to duplicate, unlike a phone number or password you cannot change this.
Hardware token? In 2011 RSA token timing and encryption was broken millions of tokens had to be replaced unlike 1 mobile port millions instantly affected.
Thanks Carlos. I do agree that using a mobile phone is convenient. However, your faith in the amount of information required to steal someone’s phone number is misplaced. As it happens my wife changed her mobile provider this week, and all she had to provide online to her new provider was the mobile number, her full name and address and her date of birth. I think the process needs a review. I think that it was designed to make porting easy in the late 80s/early 90s as mobile phone ownership went mainstream, so it was based on the principle of making the port straightforward and dealing with the exceptions later.
Hiya Andrew James
Thank you for alerting the Choice Community of your situation.
It is important that consumers are aware of how easy it is to lose control of your personal information, and how quickly it can happen when a mobile phone is stolen.
My mobile phone was stolen just before Christmas, and I have experienced very similar problems to you. It is a most uncomfortable feeling to know that one’s personal banking information has been accessed and moreso an enormous inconvenience and very time consuming to correct the situation.
Good luck protecting your personal details in the future. I believe we all need better protection and improved legislation to protect victims.
Sometimes we need more than than technology and legislation to protect us, a little bit of luck never goes astray!
Cheers Natalie
I understand your complaint about the privacy of your phone, however you haven’t provided something more fail-safe.Phones are the perfect method, but they are the most accessible and better than most other options.
I believe the real issue you have is not the use of SMS by banks and companies but the failure of your mobile carrier(s) to protect your mobile phone number?
I’ve ported numbers quite a few times telstra optus and aldi and all required more than a name address and date of birth.
I needed Licence number, scan of 100 points emailed in, full name, account number (not mobile number)
Those subverting this to your wife probably have connections in the industry to break rules, the verification is human routine not system protection.
_For this I like the higher tier of security new bank systems
- no bank staff can even view or edit your account (by challenge questions or account lookup)
- You receive an SMS and read out for them to unlock the account info so they can assist you.
- It would close down the risk of staff assisting in identity theft.
- If i don’t have my phone working or can’t receive code SMS I must go to a branch.
I ported a number to Optus last week from Telstra to optus, to complete this You and I should expect this should be the minimum expectation to avoid a thief porting your number as it would prove ownership more than quoting names and addresses.
- to receive a confirmation text on my telstra mobile,
- for me to provide the confirmation code back to Optus and reply to the text message to telstra with the code number.
connections in Mobile industry can just lookup a service number 04xxxx get the full billing info name address dob under your account, until they follow suit of the banks and enforce client/staff Multi Factor.
I agree, Carlos. But until such time as the mobile phone industry in its entirety adopts, or is forced to adopt the practice you describe, we should be very aware of how blind faith in the technology compromises our financial security.
