$45k stolen in phone porting scam

Powered by SC Magazine
 

Scammers steal identity, redirect banking verification codes.

Part one of a three part series into fraud.

Fraudsters are increasingly using social engineering techniques to steal mobile phone numbers and intercept their owners’ online banking verification codes, according to an investigation published in the inaugural Australian print edition of SC Magazine.

With the country’s police forces too stretched to investigate and telcos unwilling to accept responsibility for the problem, Australia’s banks have been forced to wear the risk and cost of the fraud as they look to new methods of protecting online accounts.

The alarm

The scam is sophisticated, as one recent example illustrates.

George Craig*, a small business owner from Sydney’s Northern Beaches, received a call on his home phone from the Commonwealth Bank in mid-July.

He was told that his mortgage account had been accessed by fraudsters, who had funnelled out some $45,000. And his mobile phone – which hadn’t rang off the hook as it usually did during business hours – was used as a tool in the attack.

Craig cannot be 100 percent sure how his online bank account was compromised. He blames himself for conducting online banking sessions on a company laptop without adequate security software.

But he had assumed that money couldn’t be funnelled from his bank account to an account he had not transacted with before, thanks to a feature the Commonwealth Bank introduced in 2007: NetCode.

NetCode is a form of two-factor authentication that issues Commonwealth Bank’s online banking users with SMS messages before allowing them to transfer large amounts of money to unfamiliar accounts. When a new, large or unorthodox transaction is attempted online, the bank sends a verification code to the account holder’s mobile number. The code is then typed back into the online banking section as an additional authentication measure.

But when fraudsters took the $45,000 from Craig’s account, they also had control of his mobile phone.

In the days leading up to the fraud being committed, he had received two strange phone calls. One came through to his office two-to-three days earlier, claiming to be a representative of the Australian Tax Office, asking if he worked at the company. Another went through to his home number when he was at work. The caller claimed to be a client seeking his mobile phone number for an urgent job; his daughter gave out the number without hesitation.

The fraudsters used this information to make a call to Craig’s mobile phone provider, Vodafone Australia, asking for his phone number to be “ported” to a new device.

As the port request was processed, the criminals sent an SMS to Craig purporting to be from Vodafone. The message said that Vodafone was experiencing network difficulties and that he would likely experience problems with reception for the next 24 hours. This bought the criminals time to commit the fraud.

Within 30 minutes of the port being completed, and with a verification code in hand, the attackers were spending the $45,000 at an electronics retailer.

Thankfully, the abnormally large transaction raised a red flag within the fraud unit of the Commonwealth Bank before any more damage could be done. The team tried – unsuccessfully – to call Craig on his mobile. After several attempts to contact him, Craig’s bank account was frozen. The fraud unit eventually reached him on a landline.

Phone porting

Mobile phone number portability was introduced in 2001 as a Government-mandated requirement for telcos, in order to prevent them from locking in customers.

The initiative has undoubtedly led to better outcomes for consumers and lowered the barrier to entry for new market competitors. But there is plenty of evidence to suggest that the scheme – in its current form – is prone to fraudulent activity.

Privately, banking representatives have told SC Magazine that the mobile phone is the most concerning new attack vector to mitigate, but collective efforts by the banks, telcos and law enforcement have failed to curb the problem.

Mobile number portability is regulated under an industry code administered by the Communications Alliance (c570) and enforced by the Australian Communications and Media Authority. The code includes a section on what telcos must do when porting a number to ensure a customer has authorised the transaction. This appears to only require a telco’s customer service representative (call centre agent) to ask some very simple questions – such as a customer number and date of birth – to verify identity.

Revisions to the code suggests the finance and telecommunications sectors have known phone porting was prone to fraud for close to two years.

In December 2009, the Communications Alliance responded to lobbying efforts by the banking sector and updated the code after “to allow for the use of mobile number portability data by financial institutions for the purposes of fraud prevention or to assist in fraud investigations where a rights-of-use holder has been denied access to their service, or where there has been fraudulent porting activity”.

John Stanton, chief executive officer at Communications Alliance confirmed the issue was raised with the telco industry group by representatives at the Australian Government’s Department of Broadband, Communications and the Digital Economy (DBCDE).

Communications Alliance discussed the matter with its members and decided to provide the banks access to the mobile number portability database.

Stanton said Communications Alliance offered bank the opportunity to build an automated check of the MNP database into their verification systems to determine whether a phone number had recently been ported before sending a verification code to any given mobile number. That way, verification codes are only sent to ‘stable’ SIMs and alarms can be generated for phone numbers recently ported.

He said a number of Australia’s banks had taken up the opportunity, and a number had not.

“The banks are all aware that access exists. It’s really a question for the banks themselves if they don’t choose to use the access provided to them,” he said.

SC Magazine approached Australia’s four major banks to ask whether they had taken up the offer. Westpac and NAB refused to comment, while ANZ does not use SMS verification.

A spokesman for the Commonwealth Bank confirmed that it was part of the Interbank Working Group that approached the Alliance in 2009 with regards to unauthorised Mobile Number Porting, which resulted in amendments to the c570 code.But the bank ultimately decided not integrate with the database for fear it would expose customers to further risks.

“We explored the Mobile Number Portability Database and decided not to progress the solution at the time due to limitations which we believed may have exposed our customers to undue risk," the spokesman said.

The bank felt it prudent not to disclose what security limitations the database presented.

“The [Commonwealth Bank] Group takes the security of our customers seriously and we are continually optimising and investing in our prevention and detection capability,” the bank said.

Investigations

To Vodafone Australia’s credit, the telco launched a full investigation into the Craig case in response to inquiries from SC Magazine.

“We can confirm that one of our customer service representatives received a call at 5.35pm on 19 July 2011 from a person presenting themselves as the account holder for the mobile phone number in question,” the carrier stated.

“It appears that the caller had sufficient personal details about the account in question for the customer service representative to believe that he was speaking to the account holder. The caller requested to terminate the contract and port the mobile number to a new prepaid account provided by another mobile carrier.

“The account and mobile phone number was subsequently ported from Vodafone to an alternative provider of prepaid services on 20 July 2011.

“Vodafone later received a request [from the customer] to reverse the port and the post-paid account was reinstated on 22 July 2011.”

In other words, the fraudster had enough information on the victim to meet Vodafone’s obligations under the code.

SC Magazine asked Vodafone’s competitors what security questions they sought for mobile number porting, but all referred to the Communications Alliance. All were satisfied that the telco’s responsibility ended once a customer service representative asked the questions mandated by the industry code.

Informally, Craig has been told that customers can insist that their telco ask additional security questions to validate a number port. But this is not explicitly advertised by any of the telcos.

*The victim’s name has been changed to protect his identity.

Read on to learn how NSW Police deals with the phone porting issue...

Problem solved?

As is standard practice for online banking fraud in Australia, the Commonwealth Bank has absorbed the hit for its customer and put $45,000 back into Craig's account.

A NSW Police detective contacted Craig on September 15 to ensure the bank had followed through with its promise to reinstate the $45,000. With this condition satisfied, the case was suspended on September 29 pending the bank asking the police to proceed with the matter any further.

One local police investigator told SC that in his long career, a bank has only asked for a suspended online fraud case to be investigated once. The vast majority of cases remain suspended. Further, SC Magazine was told that the police would, in any case, have to weigh up whether it has the adequate resources to investigate frauds involving such small amounts of money.

No attempt was made at a local police level to escalate the Craig matter to the NSW Police Fraud and Cybercrime squad, for the same reasons.

But the Commonwealth Bank claims it has forwarded evidence to the NSW and Federal Police forces that could have been used to prosecute the offenders.

The bank’s fraud squad – which had identified the suspect transactions within minutes of the fraud being committed - was able to track down where the criminals spent the stolen money.

A spokesman for the bank said it “dealt with both Federal and State (NSW) Police regarding the incident” and that “both authorities were advised on the availability of CCTV footage” of the offenders spending their ill-gotten gains.

“The Bank was advised by one of the authorities that the offender had left the country – reducing the likelihood of further action by that authority,” the spokesperson said. 

Remedy

Craig is satisfied that CommBank has done everything it can to resolve his specific matter, and he applauded the work of the bank's fraud squad.

But he is naturally concerned at the sophistication of the attack on an ordinary citizen.

In the two years since the banks and the DBCDE approached the Communications Alliance to attempt to plug gaps in the system, the requirements for verifying a customer’s identity haven’t changed.

Craig recommends other Australians call their mobile network provider and request that additional security questions be asked before their number can be ported.

The phone numbers for mobile portability at each of the telcos is listed below.

HOW TO PROTECT YOURSELF FROM MOBILE PORTING SCAMS

Call your mobile phone provider on the phone numbers below and insist on additional security questions being added to your account before the number can be ported.

Telstra - 1800 303 302
Optus - 1800 780 219
Vodafone - 1300 130 741
Virgin Mobile - 1300 555 100

Copyright © SC Magazine, Australia


$45k stolen in phone porting scam
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1428

Vote