Fraudsters are increasingly using social engineering techniques to steal mobile phone numbers and intercept their owners’ online banking verification codes, according to an investigation published in the inaugural Australian print edition of SC Magazine.
With the country’s police forces too stretched to investigate and telcos unwilling to accept responsibility for the problem, Australia’s banks have been forced to wear the risk and cost of the fraud as they look to new methods of protecting online accounts.
The scam is sophisticated, as one recent example illustrates.
George Craig*, a small business owner from Sydney’s Northern Beaches, received a call on his home phone from the Commonwealth Bank in mid-July.
He was told that his mortgage account had been accessed by fraudsters, who had funnelled out some $45,000. And his mobile phone – which hadn’t rang off the hook as it usually did during business hours – was used as a tool in the attack.
Craig cannot be 100 percent sure how his online bank account was compromised. He blames himself for conducting online banking sessions on a company laptop without adequate security software.
But he had assumed that money couldn’t be funnelled from his bank account to an account he had not transacted with before, thanks to a feature the Commonwealth Bank introduced in 2007: NetCode.
NetCode is a form of two-factor authentication that issues Commonwealth Bank’s online banking users with SMS messages before allowing them to transfer large amounts of money to unfamiliar accounts. When a new, large or unorthodox transaction is attempted online, the bank sends a verification code to the account holder’s mobile number. The code is then typed back into the online banking section as an additional authentication measure.
But when fraudsters took the $45,000 from Craig’s account, they also had control of his mobile phone.
In the days leading up to the fraud being committed, he had received two strange phone calls. One came through to his office two-to-three days earlier, claiming to be a representative of the Australian Tax Office, asking if he worked at the company. Another went through to his home number when he was at work. The caller claimed to be a client seeking his mobile phone number for an urgent job; his daughter gave out the number without hesitation.
The fraudsters used this information to make a call to Craig’s mobile phone provider, Vodafone Australia, asking for his phone number to be “ported” to a new device.
As the port request was processed, the criminals sent an SMS to Craig purporting to be from Vodafone. The message said that Vodafone was experiencing network difficulties and that he would likely experience problems with reception for the next 24 hours. This bought the criminals time to commit the fraud.
Within 30 minutes of the port being completed, and with a verification code in hand, the attackers were spending the $45,000 at an electronics retailer.
Thankfully, the abnormally large transaction raised a red flag within the fraud unit of the Commonwealth Bank before any more damage could be done. The team tried – unsuccessfully – to call Craig on his mobile. After several attempts to contact him, Craig’s bank account was frozen. The fraud unit eventually reached him on a landline.
Mobile phone number portability was introduced in 2001 as a Government-mandated requirement for telcos, in order to prevent them from locking in customers.
The initiative has undoubtedly led to better outcomes for consumers and lowered the barrier to entry for new market competitors. But there is plenty of evidence to suggest that the scheme – in its current form – is prone to fraudulent activity.
Privately, banking representatives have told SC Magazine that the mobile phone is the most concerning new attack vector to mitigate, but collective efforts by the banks, telcos and law enforcement have failed to curb the problem.
Mobile number portability is regulated under an industry code administered by the Communications Alliance (c570) and enforced by the Australian Communications and Media Authority. The code includes a section on what telcos must do when porting a number to ensure a customer has authorised the transaction. This appears to only require a telco’s customer service representative (call centre agent) to ask some very simple questions – such as a customer number and date of birth – to verify identity.
Revisions to the code suggests the finance and telecommunications sectors have known phone porting was prone to fraud for close to two years.
In December 2009, the Communications Alliance responded to lobbying efforts by the banking sector and updated the code after “to allow for the use of mobile number portability data by financial institutions for the purposes of fraud prevention or to assist in fraud investigations where a rights-of-use holder has been denied access to their service, or where there has been fraudulent porting activity”.
John Stanton, chief executive officer at Communications Alliance confirmed the issue was raised with the telco industry group by representatives at the Australian Government’s Department of Broadband, Communications and the Digital Economy (DBCDE).
Communications Alliance discussed the matter with its members and decided to provide the banks access to the mobile number portability database.
Stanton said Communications Alliance offered bank the opportunity to build an automated check of the MNP database into their verification systems to determine whether a phone number had recently been ported before sending a verification code to any given mobile number. That way, verification codes are only sent to ‘stable’ SIMs and alarms can be generated for phone numbers recently ported.
He said a number of Australia’s banks had taken up the opportunity, and a number had not.
“The banks are all aware that access exists. It’s really a question for the banks themselves if they don’t choose to use the access provided to them,” he said.
SC Magazine approached Australia’s four major banks to ask whether they had taken up the offer. Westpac and NAB refused to comment, whilst ANZ does not use SMS verification.
A spokesman for the Commonwealth Bank confirmed that it was part of the Interbank Working Group that approached the Alliance in 2009 with regards to unauthorised Mobile Number Porting, which resulted in amendments to the c570 code.But the bank ultimately decided not integrate with the database for fear it would expose customers to further risks.
“We explored the Mobile Number Portability Database and decided not to progress the solution at the time due to limitations which we believed may have exposed our customers to undue risk," the spokesman said.
The bank felt it prudent not to disclose what security limitations the database presented.
“The [Commonwealth Bank] Group takes the security of our customers seriously and we are continually optimising and investing in our prevention and detection capability,” the bank said.
To Vodafone Australia’s credit, the telco launched a full investigation into the Craig case in response to inquiries from SC Magazine.
“We can confirm that one of our customer service representatives received a call at 5.35pm on 19 July 2011 from a person presenting themselves as the account holder for the mobile phone number in question,” the carrier stated.
“It appears that the caller had sufficient personal details about the account in question for the customer service representative to believe that he was speaking to the account holder. The caller requested to terminate the contract and port the mobile number to a new prepaid account provided by another mobile carrier.
“The account and mobile phone number was subsequently ported from Vodafone to an alternative provider of prepaid services on 20 July 2011.
“Vodafone later received a request [from the customer] to reverse the port and the post-paid account was reinstated on 22 July 2011.”
In other words, the fraudster had enough information on the victim to meet Vodafone’s obligations under the code.
SC Magazine asked Vodafone’s competitors what security questions they sought for mobile number porting, but all referred to the Communications Alliance. All were satisfied that the telco’s responsibility ended once a customer service representative asked the questions mandated by the industry code.
Informally, Craig has been told that customers can insist that their telco ask additional security questions to validate a number port. But this is not explicitly advertised by any of the telcos.
*The victim’s name has been changed to protect his identity.
Read on to learn how NSW Police deals with the phone porting issue...
As is standard practice for online banking fraud in Australia, the Commonwealth Bank has absorbed the hit for its customer and put $45,000 back into Craig's account.
A NSW Police detective contacted Craig on September 15 to ensure the bank had followed through with its promise to reinstate the $45,000. With this condition satisfied, the case was suspended on September 29 pending the bank asking the Police to proceed with the matter any further.
One local Police investigator told SC that in his long career, a bank has only asked for a suspended online fraud case to be investigated once. The vast majority of cases remain suspended. Further, SC Magazine was told that the Police would, in any case, have to weigh up whether it has the adequate resources to investigate frauds involving such small amounts of money.
No attempt was made at a local Police level to escalate the Craig matter to the NSW Police Fraud and Cybercrime squad, for the same reasons.
But the Commonwealth Bank claims it has forwarded evidence to the NSW and Federal Police forces that could have been used to prosecute the offenders.
The bank’s fraud squad – which had identified the suspect transactions within minutes of the fraud being committed - was able to track down where the criminals spent the stolen money.
A spokesman for the bank said it “dealt with both Federal and State (NSW) Police regarding the incident” and that “both authorities were advised on the availability of CCTV footage” of the offenders spending their ill-gotten gains.
“The Bank was advised by one of the authorities that the offender had left the country – reducing the likelihood of further action by that authority,” the spokesperson said.
Craig is satisfied that CommBank has done everything it can to resolve his specific matter, and he applauded the work of the bank's fraud squad.
But he is naturally concerned at the sophistication of the attack on an ordinary citizen.
In the two years since the banks and the DBCDE approached the Communications Alliance to attempt to plug gaps in the system, the requirements for verifying a customer’s identity haven’t changed.
Craig recommends other Australians call their mobile network provider and request that additional security questions be asked before their number can be ported.
The phone numbers for mobile portability at each of the telcos is listed below.
HOW TO PROTECT YOURSELF FROM MOBILE PORTING SCAMS
Call your mobile phone provider on the phone numbers below and insist on additional security questions being added to your account before the number can be ported.
Telstra - 1800 303 302
Optus - 1800 780 219
Vodafone - 1300 130 741
Virgin Mobile - 1300 555 100