Fraudsters have been using stolen mobile phone numbers to access — and drain — the bank accounts of unsuspecting victims, the Telecommunications Industry Ombudsman has warned.
The practice, according to the TIO, involves fraudsters convincing a mobile service provider to switch a mobile number to a new SIM card, known as SIM swaps.
Having the person’s name and mobile number then allows them to gain access to bank accounts, emails and other online accounts, given the increasing prevalence of mobiles being used not just to access accounts but as part of multi-step authentication processes.
Victims have reported their bank accounts have been drained of thousands of dollars.
Fraudsters have been allowed to do so, the Ombudsman suggested, primarily because of lax identification checks when requests to port numbers are made.
“The Telecommunications Industry Ombudsman’s Systemic Investigation Team noticed a trend of complaints in 2018 about mobile service providers who had a low bar for consumer identity verification,” Ombudsman Judi Jones said.
“We have been working with these providers to address these problems and help prevent future complaints.”
The major telco providers — Telstra, Optus and Vodafone — have all been asked to comment.
My Business reached out to those major telco providers to get comments on the Ombudsman’s findings, as well as the Communications Alliance, an industry body covering the broader communications sector.
A Vodafone spokesperson said in a statement that the issue was rare among its customer base.
“It’s rare for Vodafone customers to experience SIM swap fraud due to increased measures we put in place in 2018 to provide increased protection for customers. Vodafone does not process SIM swaps over the phone. SIM swaps can only be performed online or in-store, and both require identification or secure verification,” the statement said.
“For an online swap to be successful, the person attempting the swap must know the customer’s MyVodafone password, their account PIN or be able to verify the transaction using an OTP (One-Time PIN sent to their device). If attempting a SIM swap in-store, the person must have valid ID such as a driver’s licence or passport and know the account PIN.”
Meanwhile, a Telstra spokesperson said that the company is “always looking to strengthen our privacy and fraud-related controls”, and claimed the Ombudsman’s report “positively cites our process improvements including requesting extra ID checks for high-risk transactions”.
“A SIM swap is considered a high-risk transaction and therefore covered by Enhanced Authentication. This involved the introduction of a ‘one-time PIN’ that has now been introduced to other transactions including account detail changes, changes to authority, the addition (or removal) of a service and change of ownership,” the spokesperson said.
“In December 2017, we made changes to processes for verifying the identity of new postpaid mobile customers and those customers who have been with us for less than six months and acquire a new postpaid mobile service online.”
Optus and the Communications Alliance had yet to respond at the time of publishing.
How are fraudsters gaining mobile numbers?
According to Ms Jones, many people make their mobile numbers freely available online, while others are conned directly by scammers.
“Fraudsters are developing new ways to collect personal information about a consumer — accessing social media profiles, posing as telemarketers or sending deceptive emails. They use this information to impersonate consumers, deceive mobile service providers and steal consumer’s mobile numbers,” she said.
For business owners and salespeople, the problem could be more acutely felt, given that mobile numbers are widely advertised for customer accessibility.
The TIO said that it does not break down the complaints between personal and business-related, and it declined to provide the actual volume of complaints it had received about the issue.
“This systemic investigation looks at the potential for exposure to all consumers who own a mobile phone, personal or business-related,” a spokesperson told My Business.
“We don’t have the complaint numbers or the breakdown of consumer v small business complaints available; the purpose of the investigation is to assist providers with their verification procedures to limit the risk for all mobile service customers.”
What can be done to prevent mobile number theft?
The TIO said that there are a number of ways the mobile holders can do to reduce their risk of falling victim to scammers in this way, but acknowledged that “the more publicly available your personal information is, the more susceptible you are to mobile number theft”.
It suggested the following basic measures:
- Don’t respond to emails asking for your bank account details, phone number and personal details.
- Don’t respond to any caller who asks for access to your computer. Don’t give them any passwords or other information. Hang up.
- Don’t click on links in emails or text messages saying you have won a prize or have a message, particularly if you don’t know the sender.
- Reduce disclosure of personal details such as full name, mobile number and full date of birth online on social media, online dating websites or blogs. If you must enter these details, ensure they are hidden from public view.
- Lock your letterbox. Fraudsters can gain personal information about you by physically stealing your mail.
Telcos have also been urged to do their part by stepping up security on mobile accounts. It has recommended that service providers:
- Allow customers to set up PINs on their telco accounts.
- Enhance the customer authentication steps before customers can make a transaction by requiring customers to provide an additional form of ID as well as full name, date of birth and mobile number.
- Introduce two-factor authentication by sending customers one-time PIN numbers through SMS or email for all high-risk transactions such as SIM swaps.
What to do if your mobile number is stolen
According to the TIO, victims may only realise their number has been stolen when their service is suddenly disconnected, or if they are notified about a SIM swap that they didn’t request.
In such instances, it suggests:
- Contacting your bank or financial services provider immediately and explain that your mobile number has been taken. Ask them to check for any withdrawals or unusual transactions on your account.
- Contacting your mobile service provider and ask them to get your number back.
- Contacting Australia and New Zealand’s national identity and cyber support service IDCARE online or on 1300 432 273.
- If fraud or theft has occurred, contact the police.
More information on mobile number theft is available on the TIO’s Reducing fraudsters’ theft of mobile numbers report.
Adam Zuchetti is the editor of My Business, and has steered the publication’s editorial direction since early 2016.