iTnews

Home buyer funds hit in phone porting scam

By Brett Winterford on Nov 9, 2012 2:39AM
Home buyer funds hit in phone porting scam

Real estate trusts targeted.

Australia’s banks and telcos have failed to prevent fraudsters from using phone porting to siphon funds from compromised bank accounts.

As first explored in an investigation in SC Magazine, cybercriminals have developed simple social engineering techniques to take control of the mobile phones of online banking users whose credentials have earlier been captured by key loggers and other malware.

With only a few phone calls to a victim’s workplace or home address, a fraudster can gain enough information (date of birth and mobile phone number) to port a victim’s mobile phone number to a new SIM device and intercept one-time passwords sent via SMS for online banking sessions.

Several new cases in Western Australia suggest that fraudsters have discovered a new form of target.

Alison Buckett*, a real estate agent in Perth, is among the victims.

Buckett was a Commonwealth Bank customer and Optus mobile customer, and runs a settlement agent/conveyancing business for property buyers.

At the beginning of October, Buckett received an email notification from the CBA to provide receipt of a transaction of over $19,000 to an unfamiliar account registered in Queensland. She immediately called CBA and was put through to the NetBank Security division, which froze her funds pending a fraud investigation.

The next morning, Buckett felt obliged to report the incident to the Western Australian Board of Commerce, which regulates her industry. Whilst the loss of $19,000 to any small business is likely to harm their cash flow, settlement agents are particularly vulnerable as they hold funds in their accounts for customers that have paid a deposit on a property but not yet settled.

“The position of the Department of Commerce states that if there is any deficit in your trust account, you have to put it in yourself," Buckett told iTnews.

"So I had to stick $20,000 of my own money in the trust account. You can imagine how nerve-wracking that is, knowing that money had been stolen from that account. If it had been $100,000 stolen from that trust account, I’d be out of business.”

It was at least 12 hours before Buckett attempted to use her mobile phone and realised that her number had been ported to another device. It also clicked that she had never received the CommBank NetCode SMS for the fraudulent transaction.

One week later, after numerous phone calls,she finally managed to reconnect with the Commonwealth Bank’s fraud team, who assured her that the money would be refunded into her account.

Stress

Buckett said the “inconvenience and stress” of the incident cost her one week’s work, and the process of getting the phone number from the fraudster (who ported it onto a SIM on the Lebara network – an international MVNO that uses Vodafone’s network in Australia) back onto her Optus device has taken closer to a month.

She fears that small businesses – who advertise their mobile numbers widely and do not tend to invest in IT security – are prime targets for such scams.

“My IT guy has conducted a thorough investigation, we expect the online banking session was hijacked by a small keystroke virus or something similar,” she said.

“I guess I am fair prey – I am a one-man band. My mobile number is on all my business cards and letterheads. I reckon 10,000 people could figure out my date of birth and mobile phone number.

“CommBank encouraged me to go onto NetBank, and I love it, I find it hard to deal without. They assured me the SMS code was very, very secure.”

SC Magazine was told by telcos earlier this year that customers could call to have additional questions added before a number is ported. But the telcos appear never to have implemented this process.

“What I have learned is that there is no guarantee a perpetrator couldn’t port my mobile number out again,” Buckett said. “There are no added security options to prevent it being re-ported again.”

Buckett learned that CommBank offers OTP tokens as an additional security measure, but mostly for its largest customers. “They told me – we don’t advertise that they are available, you won’t get one unless you ask.”

Stay tuned for Part II of this story tomorrow: can Australia's banks and telcos tackle the problem?

* The name of the victim has been changed to protect her privacy.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
cba commbank fraud lebara mnp phone porting scam security

Partner Content

Putting cyber security basics in place
Partner Content Putting cyber security basics in place
Four data superpowers to harness before 2022
Promoted Content Four data superpowers to harness before 2022
IBM now offers sovereign security capabilities in Australia
Partner Content IBM now offers sovereign security capabilities in Australia
Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus
Promoted Content Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus

Sponsored Whitepapers

Customer Identity and Access Management for Dummies
Customer Identity and Access Management for Dummies
Empowering workforces in the new environment
Empowering workforces in the new environment
Is the technology refresh dead?
Is the technology refresh dead?
DevSecOps: A framework for digital innovation
DevSecOps: A framework for digital innovation
Encryption: Protect your most critical data
Encryption: Protect your most critical data

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • [Webinar] - Transformation versus compliance – a guide for CXOs
  • "How Digital Transformation can solve the cyber challenge"
  • Masters of Microsoft Licensing
  • Is your DevSecOps stuck in first gear?
By Brett Winterford
Nov 9 2012
2:39AM
0 Comments

Related Articles

  • BOQ tries to pin BEC blame on a branch manager
  • Two arrested over large-scale SMS phishing scam
  • Scammers abuse app store subscriptions to rake in millions
  • CBA to become first major bank to launch its own BNPL service
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Kmart Australia and NZ will put a robot called TORY into every store

Kmart Australia and NZ will put a robot called TORY into every store

Aussie Broadband says some customers are switching providers to get high-speed NBN discounts

Aussie Broadband says some customers are switching providers to get high-speed NBN discounts

Swinburne University data breach exposes details of 5000 staff, students

Swinburne University data breach exposes details of 5000 staff, students

NAB sacked tech worker behind 2019 data breach

NAB sacked tech worker behind 2019 data breach

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.