Aussies at risk from costly phone scam
AUSTRALIAN phone carriers were "negligently" allowing scammers to steal thousands of dollars from their customers and should be forced to compensate victims unless they introduced basic security measures to halt the threat, experts said today.
The call came after the Telecommunications Industry Ombudsman warned more fraudsters were stealing victims' phone numbers and siphoning money from their bank accounts due to lax security, in one case stealing $9000 from a woman after her mobile phone was disconnected.
And security experts warned many Australians were still unaware of the threat and did not know how to protect themselves.
Telecommunications Industry Ombudsman Judi Jones said a specialist unit within the agency investigated the so-called "SIM swap" scam after receiving several complaints about "one particular (phone) provider" with inadequate security.
The company would allow anyone with a customer's name and date of birth to access and make changes to their phone account, she said, even allowing ID verification "in online chat" windows.
"Their verification processes weren't as tight as they could have been so the potential to impact a large group of consumers was quite high," she said.
"You shouldn't be able to access your account simply with your name and date of birth because that's just too easy to find in lots of places."
Ms Jones said fraudsters perpetrated the scam by stealing a victim's personal information from fake emails, online searches or even physical mail, and using it to access their phone account and transfer their mobile number to a new SIM card.
That phone number could then by used to authenticate access to the victim's bank and PayPal accounts, email, and even social media profiles.
In one case exposed by the TIO, a woman had her mobile phone disconnected and $9000 siphoned from her bank account.
Another man reported "tens of thousands of dollars" stolen from his bank and new services added to his phone account.
Cyber safety educator Leonie Smith said the scam was insidious and telephone carriers should be forced to make security changes to prevent its spread, or deal with the consequences of the scam.
"The telcos need to be smarter about it," she said.
"They should be punished.
"If your telco, through their negligence, is allowing your phone number to be used by someone else, they are at fault. They have to make it harder for people to get hold of those (mobile phone) numbers."
Ms Smith said one victim she helped had her phone number stolen by scammers three times before her phone carrier agreed to put a PIN on her account.
Australian Communications Consumer Action Network chief executive Teresa Corbin said phone providers should be forced to introduce basic additional security to shut the scam down, such as text messages to verify phone number transfers or adding PINs or passwords to accounts.
"Now we're using mobile phone numbers as authentication (for bank accounts), the onus is on the telco to make sure (phone number) porting doesn't happen automatically," she said.
"There's no excuse for them not to introduce further authentication. It may not be a PIN but there needs to be a second step to make sure it's a transfer that's been approved by the account holder."
Ms Corbin said consumers who found their phones disconnected unexpectedly should contact their provider, and mobile phone users should take care with publishing their information online.
"A lot of people don't realise this scam is possible and they put their information on social media," she said.
"Every piece of information you expose can be used to scam someone or fake their ID."
HOW TO PROTECT YOUR PHONE NUMBER
- Ask your telco to set a PIN or password on your account
- Avoid revealing your mobile phone number online, if possible
- Remove your birthdate from social media
- Use two-step verification to log into accounts
- Put a lock on your mailbox to prevent theft
WHAT TO DO IF YOU'VE BEEN SCAMMED
- Call your telco immediately and report it
- Contact your bank to check for fraudulent activity
- Change banking, email, and social media passwords
- If you've had money stolen, report it to police
- Report the scam to the ACCC's Scamwatch website