2/10/2017 0 Comments
Client Jeff T sent the following email to iTandCoffee recently:
"A friend's daughter had her bank account hacked when someone stole her mobile phone number. Yes, her number: not her phone. The first she knew of it was her phone stopped working and then an email message from her bank saying her account was now linked to a Samsung: she had an iPhone. Apparently they transferred the number to a new SIM and then used their phone to tap an ATM with phone access and withdrew $400. Optus and Comm Bank confirmed that this is what happened."
The theft of mobile numbers - which can happen if someone gathers enough information about you (via 'snail' mail theft, social engineering, or other means) to set up a new SIM in your name and transfer your mobile number to that SIM - has been reported at various times in the press over the last 12 months or so.
It is known as 'mobile number porting', and can happen when some is the victim of identity theft.
Can I request a 'password reset' text from my bank?
I must say that I did check my own bank account after receiving Jeff's email, curious to see if my bank (Commbank) would text a password reset link to my mobile number if I chose their 'forgotten password' option.
Fortunately, Commbank requires you to enter 2 pieces of information before it will send you a message with a 'password reset' link. You must provide a card number and your ATM PIN. If your PIN is easily guessed (for example, it is your birthday, anniversary, or your postcode), then you could be in trouble.
If you can't provide the required two pieces of information, then you would have to call the Commbank call centre or visit a branch - and presumably convince the person on the other end of your identity.
What does your own bank require? Can you request that a password reset link be sent to your mobile?
Do any of your online accounts send a 'password reset' link (or a password) to your mobile number?
It is worth definitely worth considering what might happen to all of your online accounts if someone was able to steal your mobile number.
I know that Telstra will send you a text with your Bigpond account password, as long as you provide a few identity details - identity details that are no so difficult to obtain if you are a scammer!
The person who steals your mobile number could then log in to your Bigpond email account. Once there, they could do a heap of password resets for your online accounts that use that email address - given that many online accounts will let you choose a 'forgotten password' option, and send an email with a link for resetting the account password.
Personally, I never use my Telstra Bigpond email address to register for any online accounts. That way, if someone was to get access to my Bigpond account, it would not be much use to them. For all my other online accounts, I have 'two step verification' in place (or two-factor authentication) as an extra 'layer' of protection'.
Here's an article from iTandCoffee about this extra security measure:
The issue with two-step-verirfication if your mobile number is stolen
If your mobile number is stolen, you should consider which of your accounts has 'two step verification' in place - where a text is sent to your mobile with a code to enter after you have attempted to log in with your username/email address and password.
While two step verification (or two factor authentication, if offered) is a 'must do' on all online accounts, it is of little value if your mobile number is stolen - especially if you have used the same password on lots of online accounts, and the thief/hacker has discovered that password. You will no longer receive that 'protective' number code - the thief/hacker will.
If ever you suspect you are the victim of the theft of your mobile number or any online account has been breached, act as quickly as you can to change passwords and contact your Telco and Bank.
If you need help with password resets (or any other security matters), iTandCoffee in Glen Iris can help. Just call 1300 885 420 to make an appointment.
How was Jeff's friend hacked?
For the example described above by Jeff T, I would wonder if the person involved had been caught out (perhaps without even realising it) by a phishing email, and given away her online banking details or other identity details, including her mobile phone number.
Or she may have had her email and password stolen from some website that had been hacked, and may have used the same password for other online accounts (a big no-no!).
She may have had an easy-to-guess PIN for her bank account.
Perhaps they had obtained personal information about her from her social media world; perhaps they had stolen statements or other letters from her letterbox.
While phone number porting scams are scary, I am sure that the scammers would not have been able to gain access to the victim's bank account simply by having a SIM with her mobile number.
What's on at iTandCoffee ?
iTandCoffee is at 34 High Street Glen Iris 3146, Victoria Australia
Call 1300 885 420 or (03) 9886 0814
© 2019 iTandCoffee Pty Ltd. All rights reserved ACN: 606 340 434