I Was Illegally Ported - How to Avoid This?

Late last week I was the victim of an illegal porting of my mobile phone number (Aldimobile) by a scammer/hacker! I noticed this since I suddenly lost service! This was immediately followed, within the same hour, by a cyber attack on several different banks I use. I was alerted to these attacks by automated emails that the banks sent me where funds were attempted to be transferred from different accounts etc. As far as I know, the banks and I were able to stop all these fraudulent transfers. I am still in the process of getting all my internet banking accesses back on-line however. Aldimobile was able to get my number back the next day, thankfully. Aldimobile told me that they received a replacement SIM request from the hacker!

So, my question is - whilst there are lots of things we can do to increase our internet security, what can a person do to mitigate the risk of having one's mobile phone number illegally ported (i.e. hijacked)?

EDIT: ChiMot said that I should have received an SMS from provider asking if this port was authorised: see https://www.acma.gov.au/port-customers-phone-number
If this had happened, this problem would NEVER have occured, so I think Aldimobile failed - I will be following this up with them!!

NOOOO!! As somebody else pointed out, I didn't get the sms because it was not technically ported out, it was just transferred to another SIM (aka SIM swap)

Further update: Further research has led me to believe that there is a loophole in the ACMA rules for providers in how number porting must occur wrt security. https://www.acma.gov.au/port-customers-phone-number As far as I can see, the rules of checking the validity of the request ONLY APPLY to porting and not SIM swapping. If the same rules were applied to SIM swapping, this would never have occurred to me. Conclusion: the ACMA rules fall short in ensuring adequate security by not mandating the same security measures apply to SIM swapping as they do to porting.

Related Stores

ALDImobile
ALDImobile

Comments

  • +11

    I thought some years ago Government made it as law that the provider must send us sms asking user to confirm the port out? Before that time yes it was easy to steal numbers

    • great idea - that would have saved me, but I never received any SMS etc to confirm port out!!

      • +9

        I think they would have requested a sim replacement, activated the sim, then immediately ported the number (or maybe they didn’t, and just used the ALDI service for their purposes).

        Hard to require an SMS confirmation for a replacement sim, unfortunately, as that wouldn’t work. When I have needed one in the past I needed to show photo ID, but that was with Voda, not ALDI.

        • It does work, other providers already implement this. When I need to do a sim swap with Telstra, Vodafone or Optus, they send a code to the number for me to verify my identity before performing the sim swap. They also do this as part of their standard verification process before they discuss my account.

          If the original sim was lost or otherwise inoperable, they send the code to my email.

    • +1

      You are 100% spot-on, I checked, see my now edited post above.

      • Do you have an online account for Aldimobile ? If so what's the delivery address ? Scammers ?

      • +5

        Yes usually your provider sends an SMS to warn you the number is being ported. So the reason you didn’t get it is because the hacker requested a new SIM. He did not port the number at all.

        You lost service when the hacker activated a replacement SIM.

        This is why Aldi managed to get you back online, they still had your service.

        If I were you, I would port the number immediately to a new provider before a does it again.

  • +5

    Your SIM was illegally replaced. Someone must have your ID info in photo.

    • +4

      you are right, it was illegally replaced. They didnt need a photo ID because it was done by them hacking my online account and requesting a replacement SIM there. I think then that that is a loophole in the legislation. The legislation should also compel providers to SMS customer before a SIM replacement also!

      • +11

        providers to SMS customer before a SIM replacement

        Not saying I'm against that but what if your sim is broken or you've lost it? Perhaps an email as well, or instead? I know emails can be hacked.
        *Assuming you mean SMS the customer as a verification method. eg. temp verification code

      • +17

        If a customer is requesting a replacement SIM, chances are the existing SIM is defective and hence they won't be able to receive an SMS.

        • +3

          Still a good idea to send notification SMS in advance to the existing SIM though..

        • +4

          Yes, under that scenario an SMS would not help. But under my scenario it definitely would have helped and stopped the scam. So, conclusion is sending SMS could help under some scenarios, but importantly, would NEVER be a disadvantage to send it.

          • +2

            @GOCAT9: Your scenario does not make sense:

            Someone was logged into your ALDIMobile account and requested a SIM replacement for a lost/Damaged SIM.

            ALDIMobile assume that this is you, who else has this information to log into your account? being that the SIM is lost/damaged/Stolen they are not going to send a message to the possible recipient because if it is lost nothing comes back (waste of time), if it is stolen then the thief is going to reply with No do not authorise this (the opposite of what you want to have happen).

            They could require that an email is sent to the registered address on the account, to do this they will also need to ensure that a change of email address through the website also triggers an email to the old address.

            The point being this is not easy to fix, if they do not allow the porting then someone accessing your bank accounts with your phone as the SMS verification device (if your phone is locked I assume they can place the SIM in another device to get the messages).

            Banks and other organisations need to move to an app based MFA mechanism, as do ALDI and others… the problem is the reason that ALDIMobile and others are so cheap! it is because their service and their business is laser thin. I signed up with GloBird for energy recently, no login, no nothing of customers just use a random code for the bill information - the point being these businesses have no margin for security which is wrong but it is what it is at the moment.

            • @mlbrooke: Scenario does make sense. Added security
              If someone requests new sim, they can automatically send an sms saying a sim replacement has been organised, and to call them immediately if the user did not request this.

              In this case as the OPs sim would still be functional when new sim was requested, they would have received this sms and could have called provider to cancel request

              I know that's not the only problem here and agree with your suggestion, but i don't think it'd harm to add an extra layer

          • +2

            @GOCAT9: Hey GOCAT9,

            Sim replacement is often one of the final steps that happen before your bank account is fleeced.

            It looks like your email/laptop being hacked and the hacker would have been watching for weeks maybe months!

            They use keyloggers to track your URL visits and passwords.

            The hacker would have gotten into your bank accounts, including your Aldi mobile account, issued request to do the sim replacement, and quickly followed by requests to send money out of your accounts.

            An early indicator of being hacked is when your friends receive an email or FM message from you asking them to sign up or log into something you have recommended.

            Hope it helps you, or others.

      • SMS verification is unreliable at best. Surely you weren’t only using SMS for your banking without additional security measures like a password as well. SMS is often used as the second factor in 2FA to enhance the security of a password. It sounds like the passwords you are using are not up to scratch. SMS is unreliable because it relies on an SMS gateway, telephone network and additional device to work properly - many things that can fail. Authenticator Apps are more reliable and not susceptible to SIM card copying / stealing. Firstly though, choose long unique passwords for your services. A password manager can help if set up properly. Then look at a better 2nd factor instead of SMS. SMS is convenient though not very reliable and therefore not a great security factor.

      • How did they 'hack' your online account? They must have gotten your password from you somehow?

  • +6

    Don't use a phone number as 2FA, use an app. Then they would need to get physical access to your phone and unlock it to get access to accounts.

    • use an app.

      Which app?

      • +5

        Authy and many others

        • -1

          Can authy be used for all 2fa? Some sites seem to only suggest certain apps, like ms or Google authenticator.

          • +1

            @kiitos: You can choose which app you want to use.

          • +1

            @kiitos: Authy supports Google Authenticator codes.

          • @kiitos: Yes, some websites don't make it clear, but you can use Authy (or other apps) and pick Google Authenticator.
            Authy will scan and understand the code.

        • +3

          On Android, use google authenticator.
          I have dozens (really) of 2FA accounts setup in google authenticator.
          More and more places use time based 2FA and the most common algorithm is TOTP (https://en.wikipedia.org/wiki/Time-based_One-Time_Password)
          I mean just yesterday, I had a prompt to add it to my nVidia account - which I then did. (we don't need to talk about how nVidia requires a user/pass to get updated drivers)
          Plus, you must use a password manager. Every password I have is different and I don't know what they are. I do know what the password to my password manager is though.

          • @xylarr:

            we don't need to talk about how nVidia requires a user/pass to get updated drivers

            How so? You can download them from https://www.nvidia.com/Download/index.aspx without a login.

          • +1

            @xylarr: If you use google authenticator you should make sure to back up the 2FA setup codes in a password manager, as Google Authenticator has no online backup ability. I would suggest Authy as it does cloud backup of 2FA.

          • @xylarr: Authy is so much better. Google authenticator is a downright pain if you change phones. You have to redo everything for every service.

    • +2

      Tell that to the banks using sms as their first authentication method (and some only use this!)

  • +4

    Hi there

    Some of my personal information got compromised in 2019. The hackers then made multiple attempts to purchase iPhones from Optus(my service provider at the time) over the phone to some random address in Sydney.. Luckily, I received a few texts from Optus about it and I was able to call them in time to reverse that purchase. Furthermore I was able to instill a 6 digit passcode on my account. Blocking anyone else to place orders on my behalf, may it be online or over the phone.
    So yeah, call up your provider and see if you can set a code like that to protect yourself. Thanks

    • +2

      Good tip. I have now done that. I only hope that this code is required when ordering a replacement SIM online. I will be calling Aldi to check this.

  • +2

    Remote wipe, MFA, different passwords, and in this case, as Aldi to provide the details of where the new sim request was being sent to, let the local Leb and bikey mates know in Adeliade then see if they can… … … (profanity) them up for you. After doing so, then let the cops know the address. :)

    🤜

    • +1

      Thanks, all good points. However, unfortunately Aldi do not have to send a SIM anywhere. The scammer just buys any new SIM at an Aldi supermarket and then contacts Aldi with the SIM number to have it transferred. This can also be done from the online account after it is hacked without them having to talk to anybody.

      • There’s your problem - Aldi Mobile.

      • What would be interesting is whether that replacement SIM, bought in an Aldi supermarket, was paid for with a credit card. You might be able to track that to the fraudster.
        Though that would depend on every Aldi SIM having an individual bar code.
        Did you call the police?

      • Must have been some registration and attempt to activate the sim which can link back to a location of sorts… Either way… Looks to now have been sorted!

    • Hahah, you legend

      • +3

        Aldi mobile is a sub business of Aldi midi marts. They are a reseller, it’s not their network. Aldi mobile is purely a services play. I’m not sure Aldi Mobile is international.

  • Did they get a new sim card replacement and activated that, then got the sms,etcetc?

    Just read the above. Nice catch at least.

  • -3

    How did this happen exactly? I have had an Aldi sim for years and they would have at the very least have needed access to your Aldi account to request a new sim in the first place. Secondly, you can't just transfer the number to a new sim without verification. The new sim then needs to be activated via your account before being ported which then requires verification. For this part alone, they needed to be in your Aldi account so there's your first problem.

    Other than needing your Aldi log in details they then had to change the sim delivery address which Aldi can see in order to receive the sim which would then take a week to arrive or did they monitor your post every day to try and intercept the new sim? Then they needed a verification SMS. Porting out also makes absolutely no sense if they wanted to access your bank accounts assuming they even knew your accounts were tied to that specific number in the first place.

    They would have needed your current number to log in to other accounts, change those details to a new number of their choosing then port out to that new number while somehow cirumventing all the bank security and verification policies too and for what purpose? They wouldn't have needed to port your number to attempt making transfers, in fact, it's the opposite as they need the number tied to those accounts.

    What you are saying is too convoluted, illogical and also not even possible unless they had access to more than just your Aldi account. People can't just "hack a phone" to gain access to that kind of stuff either. Sounds more like some had physical access to your phone and even then, trying to port the number to a new sim from the same company makes no sense whatsoever. It's the thought process of a child. Even switching the number to a new sim from Aldi serves no purpose for anyone wanting to access your accounts. Switching to a new number and locking you out to access your accounts is the way it would have been done and they could have done that immediately with any sim and access to your phone which is what they needed to do any of what you mentioned anyway.

    • +3

      Agree, somehow OP’s details were leaked or stolen prior to the SIM change event.

      I’m no expert, but I can’t think of how the “hacker” could have known OP’s bank accounts (the bank(s) and login/password) with just having the phone number. Like if OP was “stalked” and the phone number was to then enable their criminal activities. I suspect OP’s phone was already compromised prior.

      • It's not possible and this whole porting to a new sim from the same company serves no purpose whatsoever.
        If somone had ordered a new sim for the same number, then they would have needed to change the delivery address. The OP could simply check the address in their Aldi account.

        There was also no porting let alone illegal. You port to a new company, not a new sim with the same one. That's a sim replacement which is for when your sim is lost or phone is stolen so usually that number is temporarily deactivated as you technically don't have access to it and will be notified via email too anyway. This also requires validation.

        If someone had access to all the log in and verification methods required for these things alone, then this has nothing to do with Aldi and everything to do with several of the OP's accounts having been hacked which is incredibly unlikely as if they had, they could have successfully locked the OP out and circumvented all warnings from the bank. If someone had access to the OP's phone and was messing around, they could have easily succeeded in locking the OP out. The OP has assumed this has anything to do with Aldi when it's more likely the OPs other accounts were hacked from weak/same password/physical access to their phone. It's also possible that none of this happened as none of it makes any sense as ordering a new sim achieves nothing other than maybe attempting to lock them out of their service which they could have done from within the account they need to have accessed to request it anyway.

      • People would be surprised how many data breaches have occurred with popular services they likely use.

        I wouldn't be surprised if most people here have had at least some of their personally identifiable information stolen.

        Google "haveibeenpwned" and go to that site. Put in your email address or mobile and I would be amazed if you haven't had your details exposed.

        https://haveibeenpwned.com/

    • +3

      Thank you for those comments, however whilst it might be nice if the world worked that way, unfortunately the facts don’t support that. In summary, this is how it was done, so this is now fact.
      1. My Aldi online account was hacked and they use that to request a replacement SIM.
      2. What that means is that they buy any new $5 Sim at any Aldi supermarket.
      3. The scammer then logs back into the online account where they can enter the new Sim number (not phone number). The online system then transfers the phone number to that new Sim number.
      4. All done, the scammer now has my phone number on their phone. This could take maybe 30 minutes to complete.

      • +7

        So how is it an illegal port or scam? Aldi did nothing wrong here. A sim transfer was requested and verified from your account. The issue comes from your acount being compromised.

        As for the transfers, how can anyone access or request a transfer from your bank accounts with just your phone number? They'd need a lot more information than that including PIN/biometric/Passwords. It would seem it's a lot more than just your Aldi account that has been compromised.

        • Not saying Aldi did anything particularly wrong here but I'm with OP in wishing all companies in these fields would have some minimum defined protection for people from these kinds of attacks. A sim replacement (or port) is not a common occurrence and wouldn't not have hurt anybody to have a notification sent out to all listed contacts including the old sim (as the hacker could have simply updated existing contacts).

          It's scarily easy for mobiles and accounts to be compromised and quickly provide a path to the rest of our accounts. The number of times I have seen a phone unlocked and unattended for even just a moment - when a moment is all someone with malicious intentions needs - is unsettling. I worry there are generations who either don't completely understand technology or are overconfident in with technology and don't take the appropriate steps to secure themselves. Yes, that would be their own fault but it would be nice if companies would understand that this is just something that happens and put more effort into protecting their customers. (like how ATMs literally tell you to cover the keypad while entering your pin - a small gesture and and obvious thing to some but not all, or how your own accounts they hide your own details from you for the expected possibility that it isn't you)

          The phone number might be the other security factor and can be used for password resets for email accounts (even worse if it's their single signon account then they remove other existing reset contacts). If they managed to get into the Aldi account I would assume, they have access to at least the persons name and email address and possibly more personal info (like postal address as well as anything else they can glean from facebook or the like). The hacker could then reset the email password and do a quick keyword search for banking or other account details (transfer receipts, user may have emailed a photo of their drivers license or Medicare card at some stage, etc.). Now that they have access to both the email account and can receive sms/phone calls and know which websites you have accounts with they can start trying means of resetting your account passwords there and obtaining more personal information. Meanwhile the victim has lost access to both their phone number and emails. Give the hacker just an hour with all this information and I think they can at least attempt to get a lot done - now imagine they started right as you went to bed only for you to find 8 hours later when you wake up with no phone signal and can't log into half your accounts. All this from just the Aldi online account, the reason it didn't get worse was probably the banks did more to protect their customers from what could have looked like a completely and legitimately authorized transaction. Yes, it shouldn't have happened in the first place but it is scary that I think this could easily happen to my parents.

          Not that it's exactly this easy nor do I understand or know exactly what happened and maybe I'm just paranoid but I'm always scared that it could happen.

          • @secondstory: wishing all companies in these fields would have some minimum defined protection for people from these kinds of attacks.

            They do. A lot of people are with Aldi Mobile, how many peoples accounts do you think have been accessed? Companies are totally responsible if they are hacked and account logins are leaked but that is not what has happened here. A sim replacement isn't an uncommon occurrence (I've done it myself with Aldi despite not having lost my phone).

            In order to achieve the sim replacement alone, they at least needed access to the OPs Aldi account, verification method and email. That's several layers of security bypassed right there. Then they needed more personal information and other logins and verification methods for the bank transfers. It's not something that's done so easily, in fact it's pretty damn difficult.

            This is a major compromise on the OPs side and has nothing to do with Aldi as even their bank accounts were compromised. There are far more security and protection measures today than ever before and although this can happen to anyone at any time (and not just nowadays) it doesn't happen anywhere near as much as you think and almost always happens because of a compromise on the user's side. It's up to user to set up proper security and use different passwords/log in methods.

            Something as simple as leaving your phone open and unattended can be like leaving your keys in an unlocked car. However, even if the OP used the same phone number and same password for every account with no 2FA or authentication of any kind, the banks still enforce your account to require at least a PIN or biometric scan to log in so how was this done as It's impossible without either. All of this still required them knowing the OPs specific banks and their account details and log-in information too. That's quite a lot to know about someone even if they managed to have the OPs phone, thumb and somehow gleaned their PIN numbers too…

            It's good to be a little paranoid to keep you on your toes, but in the end, if it happened, it was all prevented anyway as the banks were onto it and all of this was impossible just from having access to an Aldi account so relax. It's pretty hard to breach bank security as they are very pro-active in their response and your parents came up through generations without the cyber security we have today. As long as they have common sense you shouldn't worry too much.

  • +1

    Ok so your subject isnt right this is not illegal porting but someone call aldi says i lost my sim can you send me new one to this address.
    And funny aldi agreed with that address, so first check your aldi account what address is there.

    If that is yours then someone has access to your physical mailbox. Happened long time ago in the city apartment blocks, people stealing letters.

    But to access your bank they will need to enter your user name and password, before getting the sms.
    So, I will be worry about that as well

    • +2

      people stealing letters

      A stranger stealing OP's mail is one possibility.

      Another (perhaps more disturbing) possibility is that the person is somehow known to the OP. This could be a deadbeat relative or friend, to whom OP refused to give any more money, and who knows a lot of the details of OP's life, including the specific bank accounts where OP keeps their money.

  • I don't know if this is related to the scam but I'm getting SMSs every other day trying to get me to click a link to access either voicemail or a service message. Seems to be part of the "Flubot" malware, which only infects Android phones that allow side loading of apps (https://www.theguardian.com/technology/2021/aug/20/australia...).

    • +1

      I'm also getting these on my old phone number. The spelling is terrible, but maybe that's so only super gullible people tap on it and less people realise what's going on part way through the process.

  • Actually your PC was hacked. From there they got accounts for banks and aldimobile. Next step - request new SIM.

    Be more careful with links and sites. Also use password managers and 2FA.

  • EDIT: ChiMot said that I should have received an SMS from provider asking if this port was authorised: see https://www.acma.gov.au/port-customers-phone-number
    If this had happened, this problem would NEVER have occured, so I think Aldimobile failed - I will be following this up with them!!

    The verification is actually supposed to be sent by the provider that you are porting TO and not the one you porting FROM.

    For example, my number is with Aldi Mobile right now, and someone requests Kogan Mobile to port my number to a new Kogan Mobile sim. It is then Kogan Mobile's responsibility to check that the person is the genuine owner of that number before they initiate the port. Aldi Mobile's responsibility is only to action the port in a prompt manner.

    The thing I'm trying to say is that if Aldi are your current provider (as seems to be the case) then they are blameless in this number-porting scenario.

  • +5

    This happened to me a few years ago with Optus. There had been mail theft from the block of units I lived in. They stole my replacement ING bank card on the mail, which stupidly has your account number printed on it.

    Then they did an in store sim replacement at an Optus store. The Optus store either didn't do their due diligence asking for ID, or the scammer had a fake ID with my address, or an Optus employee was crooked and taking kick backs.

    Some attempted withdrawals in Cabramatta were blocked. Thankfully, like OP, I realised what was happening as I was at home connected to wifi and started getting email alerts. If they do this while you're asleep, you end up with a much bigger mess to clean up.

    In the end I lost nothing, but it was stressful and I had to change a lot of accounts etc.

  • +2

    OP please visit this website and see if your credentials have been leaked in any hacks: https://haveibeenpwned.com/

    After that if you use the same password for multiple accounts change it immediately, as if they had your Aldi they could try credential stuffing and get into your other accounts.

    I recommend a password manager like Bitwarden, using unique generated passwords for everything and a third party 2FA application. Avoid jailbreaking (iPhone), untrusted APKs (Android) and make sure your computers are safe by having the latest updates, a working antivirus and only trusted extensions in your browser/s.

    As for your physical ID being leaked I'm not sure what you could do except maybe request new documents with updated numbers (like license, medicare etc.).

    • all good comments jussa87, thank you.
      I checked my phone number on haveibeenpwned and fortunately not pwned. My email address had, but I checked that a long time ago and it even reported 3 occurences way back then. I have no recent evidence that my email has been compromised.

      Fortunately, I never use same passwords anywhere. Yes, I am going to start using bitwarden or 1password from today. My PC has latest Trend Micro and I often run Malwarebytes.

      thank again for these strong suggestions, cheers.

  • +8

    So much misinformation on this thread. Sim swap attacks do not rely on the users weak security - they rely on the PROVIDER'S weak security in not verifying the identify of the initial sim activation/swap request.

    So while not using mobile phone based 2FA will limit subsequent damage from a sim swap attack (by not allowing other accounts to have their 2FA intercepted), it will not prevent the sim swap itself.

    https://en.wikipedia.org/wiki/SIM_swap_scam

    In the US there was a push to make cellular providers require better ID verification and it was strongly resisted by the industry.

    I recently contacted commsec to complain that their 2FA is mobile number based and very large trading account balances are at risk due to this exact attack. I requested that they add authenticator app support and the ability to disable mobile number 2FA verification. Their response (as far as I know) was to do nothing.

    • +2

      I think all you can do (besides not use commsec) is get a new number on a longlife plan, and not give it to anyone or use it for anything else other than as commsec 2FA, and enable a code to be needed to do anything with the mobile account.

      Pretty poor of them to not allow app-based 2FA.

      • You don't need to give it to anyone or use it for anything else. They randomly port active numbers. They can test if the number is actively simply by sending an sms to it.

        A user literally can do nothing to stop their number being taken over. It is 100% the responsibility of their provider to prove a person's identity before allowing a number to be changed.

        Commsec does allow app based 2FA (via their app), but as far as I know you can't disable mobile number 2FA. It does BOTH.

        • -1

          Correct. Your new number could be someone else number, It may be out there on dark web sold leaked years years ago.

          • @ChiMot: It would not matter if your number was someone else's number, if they don't know who you are or what services are attached to that number it isn't going to do them any good to port it to themselves.

        • +1

          It actually does matter not giving it to anyone else. It doesn't help them to randomly port numbers, as they'd have no idea who they belong to or what services they are attached to.

          For it to be useful to port a number they need to know who a phone number is associated with - for example they are logging into an account they know the username and password to and need to be able to find out who the account belongs to and then find out what their phone number is to port it and do 2FA (you need 2FA if logging into an unfamiliar device for many services).

          They can find out what your phone number is by doing OSI (googling, looking at your linkedin, Facebook etc), or by breaching another service where you have also used the same phone number, or by having malware on someone's phone where you are a contact or hacking someone's email who has you as a contact. If you don't put that phone number anywhere on the internet (either publicly or as a 2FA to any other service) and don't give it to anyone they can't find out what it is. It would be overkill to do this for random small websites that don't have any credit card info but for something like commsec that could have hundreds of thousands of dollars of shares associated - worth it.

          A phone number used for 2FA should be treated like a password. Only reuse it and have it publicly available for services you don't care about and aren't attached to any money or sensitive info.

          • +1

            @Quantumcat: As soon as they get your phone number they can reset your phone account - they then know who you are.

            This happened to one of my staff in 2020. Their phone number was hacked/ported due to Telstra shitty security. The hacker then reset their Telstra account password. They proceeded to use the registered Telstra email and phone to reset their google account. They then trolled gmail to find services they use and reset those accounts. it is a literally identity nightmare.

            Ironically Telstra made my staff member jump through many hoops to reclaim control of the account, which would have prevented it happening if they did this in the first place.

            • +1

              @lunchbox99: How did they get the account's email/username from just the phone number? If the phone number is not out on the internet they wouldn't be able to associate the two

              • @Quantumcat: It's spelled out in black and white in the wiki link I posted. They start the other way around.

                "The scam begins with a fraudster gathering personal details about the victim, either by use of phishing emails, by buying them from organised criminals,[3] or by directly socially engineering the victim"

                It's well known. It even says Twitter CEO was hacked using this method. Frequently companies outsourced to provide support to the phone company leak the information or directly do the sim swap.

                I watch a few of those YouTube videos where scammers are scammed and it's not uncommon for the scammer to be traced to a business that provides support to multiple western comms firms.

                • +2

                  @lunchbox99: You said

                  They randomly port active numbers.

                  I said that they need to start with details. Now you're saying they start with details. That is exactly what I said in the beginning. There's no scam that can be done by porting a number that you know nothing about. If you keep your number secret then they won't have details to go with it (unless the scam is by creating a phishing site to ask for your email, password and phone number/SMS 2FA code [after sending a request to the real site and then relaying what the user puts in to the real site] but then that isn't porting random numbers).

                  • @Quantumcat: Yes they can port random numbers. All it takes is someone at a telco to access your details (usually at an outsourced 3rd party). It has happened before. I will happen again. You think the twitter CEO publishes his personal phone number?

                    I don't care if you agree or not. You seem to be under some delusion that you're immune to this if you keep your number secret. Good for you. You're wrong, but keep living the delusion.

                    • +1

                      @lunchbox99: The point is porting random numbers isn't going to help them use it for 2FA into an account 🤦‍♀️

                      If they are getting your details and phone number used for an account through phishing then that isn't porting a random number and using it to get into a 2FA-secured account.

                      • @Quantumcat: For the 10th time, they are porting random numbers. All they require is someone at the telco or external contractor (eg mobile phone shop or outsourced support) to leak details. They do not need to get it from the victim. Of course they can also get it from the victim via phishing, but it is not required.

                        This keeps going round in circles. Go read some articles about it. It happens. It happened to one of my staff without any interaction on their behalf (as far as they know).

                        • @lunchbox99: You still don't understand. Porting a random number isn't going to give them your commsec username and password. Even if you get the email and password associated with the telstra or whatever account that isn't going to help you use it for 2FA on commsec. If they're going to get into your commsec account they will need your username/email, password, and the phone number you get 2FA on so they can use the corrupted external contractor you mentioned to port the number.

                          If you don't associate the phone number with yourself anywhere, once they have gotten your commsec username and password then what? What phone number do they ask the corrupted external contractor to port?

                          And if they ask the external contractor for a random phone number, how will that help them find the commsec username and password associated with that number?

                          • @Quantumcat: All someone needs is your name and DoB to gain a commsec client ID. In any case, if they use the ported number to get into your commsec linked email using mobile 2FA, the client ID is probably already there. I just checked my own email - commsec emailed my ID to my primary email account at some point. You then use commsec mobile 2FA to reset commsec pwd.

                            You still seem to arguing the angle that this doesn't happen, despite the obvious evidence that it does. But… I'm not your mother. Go research it. If you think there is zero risk, then fine.

                            You think not telling anyone your mobile makes you safe from this attack. It doesn't. YMMV

                            • @lunchbox99:

                              All someone needs is your name and DoB to gain a commsec client ID

                              Incorrect. They also need your email, and access to that email.

                              I just tried it and it sends your client ID to your email address, and censors the email address. All you're going to achieve by porting a random number and also obtaining the first and last name and DOB for that phone number is the first two letters of the email address associated with the commsec account and the domain of that email. If you are smart enough to have a separate phone number for commsec you're probably also smart enough to use different emails for each important account also.

                              • @Quantumcat: After a sim swap the first thing they do is to take control of your email.

                                People can do all sorts of hypothetical things. You still seem hell bent on trying to prove this isn't a problem when it very clearly is a problem. I don't know what you're agenda is, but if you chose to believe this isn't a problem then fine.

                                I'm out. I don't think you have raised anything new and my job isn't to prove or disprove the validity of a well-known attack.

                                You seem to be completely missing the point. Mobile phone based 2FA is weak. Nobody should be using it. It is transmitted as plain text and is easily intercepted and/or taken over. The resistance of the phone industry in the US to making them more responsible for identity verification is because they argue mobile phone numbers were never designed to be a security device and this is reflected in the weaknesses around it's technical implementation. Phone companies also don't want the responsibility of being a gatekeeper in a chain of identity security.

                        • +2

                          @lunchbox99:

                          For the 10th time, they are porting random numbers. All they require is someone at the telco or external contractor (eg mobile phone shop or outsourced support) to leak details.

                          You're not talking about "random" numbers, then.

                          I think Quantumcat's original point is valid. While nothing's a guarantee, having a seperate, kept-as-secret-as-practicable number will significantly enhance security for accounts where SMS is the only 2FA option.

                          • @Jabba the Hutt: Random in the sense that it does not require the user to have done anything to leak info.

Login or Join to leave a comment