How easily your mobile number can be stolen - as this iTandCoffee client found

You may have seen recent articles in the press about the increasing incidence of mobile number porting - where a person's mobile number is moved to a different mobile service provider by an unknown person. If this happens, you suddenly find you no longer have mobile service. You may first receive a message that tells you the porting is happening - generally when it it is too late to stop it.

How can number porting happen? What benefit can a thief get from stealing a mobile number belonging to someone else.

Reports of bank accounts being hacked due to mobile number porting

Here is a recent article I saw on the topic of number porting: The simple new phone number scam - and how we're all at risk.

In this article, a young couple had money stolen from their bank account after the illegal porting of their mobile number. I have had several people ask me how the theft of a phone number could have allowed this to occur.

The theft of the number cannot, on its own, provide a fraudster with access to a bank account. It is likely in this case that the couple had already been the victim of a phishing attack (or some other compromise of their online world, including their bank account), theft of letters from their letterbox, or theft of credit card or banking card details.

If a fraudster has access to the online bank account, they can set themselves up as a new 'Payee' so that they can transfer funds. All that is needed is access to the mobile number to which the 'new payee' verification code is sent as an SMS.

If the credit card details are stolen, a purchase involving larger amounts usually requires the entry of a verification code sent to the mobile.

For some banks, resetting the online account's password simply needs the ID from the card to get an SMS code sent, which will then allow a password reset.

So, how does the fraudster then get your access to your mobile number so that they can get the verification code to complete the theft of funds?

It is is not that hard these days to work out a person's mobile number - even by just Googling your name, perhaps through another account that has been compromised, or even through stolen letterbox content. Some online accounts will show this phone number without masking.

And even though the fraudster may not be able to see your full mobile number or email address through a compromised online account, the scammer may be able to see other identity information. For example, my Commbank online banking settings show my home address without any masking. (It's worth checking what can be seen in the the settings of your own account - are the details 'masked'?). This gives them another piece of identity information they can use.

Other information (like date of birth) may then be gathered by the fraudster through information on social media or some other compromised account. (This is why it is not a good idea to make your full birth date accessible on social media, and why you should limit who can see this information.)

Once the fraudster has your mobile number and some other identifying information about you, they will request the transfer of the mobile number to another service provider (ie. to a SIM card that is in their own possession). Their ability to do this will depend on the amount of information they have collected and, far too often, the level of training of a Telco agent who takes their call. In many cases, this transfer is done through an online form and can happen in a matter of 15 minutes.

Unfortunately, Telco's like Telstra and Optus regularly fail to adequately identify someone who calls in relation to an account - something that I have experienced when assisting customers. Described below is an example of a scammer being provided an account number, thereby facilitating the illegal porting of the client's mobile number. Frighteningly, this makes us all susceptible to mobile number porting.

What else can a thief do with your mobile number?

If your mobile number is stolen, it is not just your bank account and credit card that is at risk.

​Many online accounts will use your mobile phone number as a way of identifying you - either to confirm a sign-in attempt, or to allow you to reset a password.

If a fraudster has control of your mobile number, this could result in illegal access to your accounts and, if they change account passwords, perhaps even result in you being locked out of your own accounts.

Financial loss and theft of your identity can result from all of this. (We recently covered the topic of identity theft and what to do if you are a victim  - here is that article: What to do if you give your drivers license or passport details to a scammer ...)

Here's what happened to an iTandCoffee client recently ...

A perfect example of identity theft and of a Telco's failure to adequately identify a caller caused great stress for an iTandCoffee client recently, after this client suffered the theft of his wallet.

Here is the message this client sent me last week:

"Last Tuesday my car was broken into and my bag containing my wallet was stolen but I emphasise NOT my phone.  I immediately did all the usual things such as stopping credit cards, notifying the bank, VicRoads, medicare etc etc and notifying the police. However on Wednesday morning I received a text from Telstra to say my application to transfer  my service from Telstra to Lebara was going through.  I immediately phoned Telstra to alert them that I had not authorised this and to stop this transfer.  They couldn’t do this as it was already underway. Incidentally, they had already supplied the thief, online, with my Telstra account number using my name and date of birth as security questions - the thief had all this from my stolen driver’s licence and my mobile number from one of my old business cards.

My question is this: what other parts of my life are at risk now that this thief is in control of my mobile phone number and my personal details? It seems to us that company after company rely on full name, DOB, billing address and mobile phone for security questions and the provision of security numbers if their system goes that far. All this is now in the hands of a thief!"

The lesson learned from a victim of number porting

This poor client spent countless hours attempting to secure his online world and fighting with Telstra to get his number back. Fortunately, he was finally successful in getting his number ported back.

His message for anyone else in this situation is to get in contact immediately with a not-for-profit organisation called IDCare. He found them very helpful and supportive, guiding him through what he needed to do - and it is a free service. He has filed a report with ACORN (Australian Cybercrime Online Reporting Network), has placed bans on his credit files with the three credit agencies (Illion, Equifax, Experian). He is now going through the ongoing process of changing endless online passwords.

It is a lesson to us all of the new dangers associated with a stolen wallet! A lock on the letterbox may also be in order!

Need help with securing you online world?

It can be daunting and difficult to work out how to change your passwords and secure your online world. If you need help with any of this, iTandCoffee can offer the patient and understanding assistance that you need. Call 1300 885 420, email [email protected] or book online on itandcoffee.com.au/appointment-request.