We all worry about losing our phone but very few of us probably worry about losing our phone number. The consequences, however, can be far worse.
Adelaide couple Dea and Jamie are saving for their dream wedding but the process quickly turned into a nightmare when they became victims of an increasingly common crime known as fraudulent phone porting.
Also referred to as SIM swapping, it is used by criminals to move a mobile phone number from one carrier to another without the true owner of the number realising. They then use it to burrow into personal accounts, change passwords and steal what they can.
Given precious accounts often require two-factor authentication via text message, it can be an effective method to take control of someone’s online world.
That’s what happened to Jamie at about 4:45pm on Friday, April 26 when his phone suddenly lost all service.
“I wasn’t able to contact Dea to go pick her up from work,” he recalled.
Thinking it was a billing issue he dismissed it. Shortly after he checked his emails to retrieve movie tickets and discovered his Gmail password had been changed. That’s when he realised something wasn’t right.
Thousands stolen in minutes
“I then checked my Netbank account. I was able to get in so the password hadn’t been changed but a fair sum of money had been taken from our joint wedding account,” he told Yahoo News Australia.
The scammer had pilfered $8500. The couple were straight on Dea’s phone trying to put a freeze on their bank accounts.
At this point they still didn’t realise Jamie’s phone number was the source of the attack.
“It was only until after we got home from the movie that we looked into it and we found that other people had experienced their phone number being ported out to a different SIM,” he said.
Porting victims targeted on Fridays
These attacks are often done on a Friday afternoon, making it hard for the victims to speak to the necessary customer agents in order to stem the pain.
“Being Friday night - and we were supposed to be at dinner - made it so hard,” Dea said. “We had to get in contact with so many people.”
Typically carriers like Optus, Telstra and Vodafone send a text message confirming the port out in what amounts to a fleeting chance to halt the process before your number is gone. But Jamie says that never happened for him.
“There was no kind of warning, that was the main thing. It just happened,” he said.
Optus says it follows industry agreed processes to validate the porting of numbers.
“All telecommunications providers are affected by fraudulent porting activity and we are working alongside the banking sector on solutions that address the affects of fraudulent porting,” an Optus spokesperson told Yahoo News Australia.
“Unfortunately by the time a fraudster requests a phone number port, customer information has often been accessed.”
Little info needed to hijack phone number
What shocked the couple the most was discovering what little amount of information is required by scammers to do this type of thing.
Depending on the carrier, and sometimes the customer service agent, a SIM can be ported with just a name, mobile number and date of birth of the owner.
“They (Optus) didn’t really give me a good idea of how someone had done it but we figured out that all you need to deal with customer support and pretend to be someone was the phone number, date of birth and their full name,” Jamie said.
“That’s information that can be quite accessible through data mining or social media. I just thought it was incredible really.”
Optus confirmed that a “mobile service number along with an account number or date of birth” is enough to port a number. That’s in line with guidelines set by the Australian Communications and Media Authority, it pointed out.
The day after Jamie had his number stolen, he spent three hours in store dealing with Optus followed by a further two hours at a Commonwealth Bank store.
They went to the police and were told to file an online ACORN report detailing the cyber crime but never heard anything further.
“It felt very much like our privacy had been invaded and they were like ‘oh yeah, no worries,’” Dea recalled.
Offences ‘increasing rapidly’
Dr Terry Goldsworthy is a former detective inspector for the Queensland police who now works as an assistant professor at Bond University.
He began researching the prevalence of illegal mobile porting back in 2017 and believes the problem is much greater than police or telcos are willing or able to admit.
“When I was looking at it, the offences were increasing rapidly,” he told Yahoo News Australia. “I’d be very surprised if that’s changed.”
When it comes to illegal phone porting the data is hard to find and varies by state.
In April 2017, NSW introduced a new crime classification of phone porting but in most cases incidents like this get muddled in with other forms of identity theft and online fraud.
“You don’t start a crime classification unless you see a trend worth following,” Dr Goldsworthy noted.
He believes many cases actually go unreported and would like telco providers to take more proactive steps to prevent fraudulent porting.
“Crime prevention is better than cure, and I don’t think it would be hard for them to introduce systems to prevent this,” he said. “I’m a bit at loss as to why they don’t think it’s worth their while to do something more.”
Creating an extra PIN
In the end, Jamie and Dea got their money back. But Jamie was locked out of some of his accounts for 30 days and is still dealing with customer care at Optus over the incident.
While they dealt with a very helpful in-store employee, the couple said they were “disgusted” by the lack of care from Optus during the ordeal but they wanted to share their story in the hope it will prevent such a thing happening to others.
“We spoke about it with our friends and every single person we spoke to did not know SIM porting was a thing at all,” Dea said.
A lot of their friends have since called their provider to put an extra protective PIN on their accounts - something that consumer groups urge customers to do.
Do you have a story tip? Email: firstname.lastname@example.org.