Mobile phone porting: new type of scam to look out for
12 February 2013
Please note: while this is a real-life story from the banking industry, the names have been changed to protect the privacy of those involved.
Fraudsters are increasingly using social engineering techniques to illicit personal information. This can information can be subsequently used to compromise a customer’s online banking account.
Joe Banker, a small business owner from Melbourne, received a call on his home phone from his bank. He was told that his mortgage account had been accessed by fraudsters, who stole $45,000 out of his account. He was advised his mobile phone was used to complete the fraud.
Joe isn’t completely sure how his online bank account was compromised, but he assumes it happened while he was doing his banking online using a public computer whilst on holiday.
He had assumed that money couldn’t be funnelled from his bank account to an account he had not transacted with before, thanks to SMS authentication which uses the customer’s mobile as a way of authenticating payments.
SMS authentication is a form of two-factor authentication that most banks use as a way of approving the transfer of large amounts of money to new accounts. When a customer creates a payment to a new account, makes a large payment or purchases something on selected online shopping websites, the bank sends an SMS verification code to the account holder’s mobile number. The code is then typed into online banking as a way of confirming that it is the real customer using the online banking account.
But when fraudsters took the $45,000 from Joe’s account, they also had control of his mobile phone.
In the days leading up to the fraud being committed, Joe had received two strange phone calls. One came through to his office three days earlier, claiming to be a representative of the Australian Tax Office, asking if he worked at the company. Another went through to his home number when he was at work. The caller claimed to be a client seeking his mobile phone number and basic personal information for an urgent job and his daughter gave the number out without thinking twice about it.
The fraudsters used this information to make a call to Joe’s mobile phone provider, Telco Australia, asking for his phone number to be ported to a new device.
As the port request was processed, the criminals sent Joe an SMS pretending to be from Telco Australia to advise that they were experiencing network difficulties and that he would likely experience problems with reception for the next 24 hours. This gave the criminals a 24 hour window in which to commit the fraud before Joe could realise what had happened.
Within 30 minutes of the port being completed, and with a verification code in hand, the attackers were spending the $45,000 at an online electronics retailer.
Thankfully, the unusually large transaction raised a red flag within the fraud unit of Joe’s bank. The fraud team immediately tried to contact Joe, but there was no answer on his mobile. After several failed attempts to contact him, Joe’s bank account was frozen.
Find out how we protect you and how to protect yourself from being scammed by visiting our security centre.