Australia’s banks and telcos have failed to prevent fraudsters from using phone porting to siphon funds from compromised bank accounts.
As first explored in an investigation in SC Magazine, cybercriminals have developed simple social engineering techniques to take control of the mobile phones of online banking users whose credentials have earlier been captured by key loggers and other malware.
With only a few phone calls to a victim’s workplace or home address, a fraudster can gain enough information (date of birth and mobile phone number) to port a victim’s mobile phone number to a new SIM device and intercept one-time passwords sent via SMS for online banking sessions.
Several new cases in Western Australia suggest that fraudsters have discovered a new form of target.
Alison Buckett*, a real estate agent in Perth, is among the victims.
Buckett was a Commonwealth Bank customer and Optus mobile customer, and runs a settlement agent/conveyancing business for property buyers.
At the beginning of October, Buckett received an email notification from the CBA to provide receipt of a transaction of over $19,000 to an unfamiliar account registered in Queensland. She immediately called CBA and was put through to the NetBank Security division, which froze her funds pending a fraud investigation.
The next morning, Buckett felt obliged to report the incident to the Western Australian Board of Commerce, which regulates her industry. Whilst the loss of $19,000 to any small business is likely to harm their cash flow, settlement agents are particularly vulnerable as they hold funds in their accounts for customers that have paid a deposit on a property but not yet settled.
“The position of the Department of Commerce states that if there is any deficit in your trust account, you have to put it in yourself," Buckett told iTnews.
"So I had to stick $20,000 of my own money in the trust account. You can imagine how nerve-wracking that is, knowing that money had been stolen from that account. If it had been $100,000 stolen from that trust account, I’d be out of business.”
It was at least 12 hours before Buckett attempted to use her mobile phone and realised that her number had been ported to another device. It also clicked that she had never received the CommBank NetCode SMS for the fraudulent transaction.
One week later, after numerous phone calls,she finally managed to reconnect with the Commonwealth Bank’s fraud team, who assured her that the money would be refunded into her account.
Buckett said the “inconvenience and stress” of the incident cost her one week’s work, and the process of getting the phone number from the fraudster (who ported it onto a SIM on the Lebara network – an international MVNO that uses Vodafone’s network in Australia) back onto her Optus device has taken closer to a month.
She fears that small businesses – who advertise their mobile numbers widely and do not tend to invest in IT security – are prime targets for such scams.
“My IT guy has conducted a thorough investigation, we expect the online banking session was hijacked by a small keystroke virus or something similar,” she said.
“I guess I am fair prey – I am a one-man band. My mobile number is on all my business cards and letterheads. I reckon 10,000 people could figure out my date of birth and mobile phone number.
“CommBank encouraged me to go onto NetBank, and I love it, I find it hard to deal without. They assured me the SMS code was very, very secure.”
SC Magazine was told by telcos earlier this year that customers could call to have additional questions added before a number is ported. But the telcos appear never to have implemented this process.
“What I have learned is that there is no guarantee a perpetrator couldn’t port my mobile number out again,” Buckett said. “There are no added security options to prevent it being re-ported again.”
Buckett learned that CommBank offers OTP tokens as an additional security measure, but mostly for its largest customers. “They told me – we don’t advertise that they are available, you won’t get one unless you ask.”
Stay tuned for Part II of this story tomorrow: can Australia's banks and telcos tackle the problem?
* The name of the victim has been changed to protect her privacy.