I Was Illegally Ported - How to Avoid This?

Late last week I was the victim of an illegal porting of my mobile phone number (Aldimobile) by a scammer/hacker! I noticed this since I suddenly lost service! This was immediately followed, within the same hour, by a cyber attack on several different banks I use. I was alerted to these attacks by automated emails that the banks sent me where funds were attempted to be transferred from different accounts etc. As far as I know, the banks and I were able to stop all these fraudulent transfers. I am still in the process of getting all my internet banking accesses back on-line however. Aldimobile was able to get my number back the next day, thankfully. Aldimobile told me that they received a replacement SIM request from the hacker!

So, my question is - whilst there are lots of things we can do to increase our internet security, what can a person do to mitigate the risk of having one's mobile phone number illegally ported (i.e. hijacked)?

EDIT: ChiMot said that I should have received an SMS from provider asking if this port was authorised: see https://www.acma.gov.au/port-customers-phone-number
If this had happened, this problem would NEVER have occured, so I think Aldimobile failed - I will be following this up with them!!

NOOOO!! As somebody else pointed out, I didn't get the sms because it was not technically ported out, it was just transferred to another SIM (aka SIM swap)

Further update: Further research has led me to believe that there is a loophole in the ACMA rules for providers in how number porting must occur wrt security. https://www.acma.gov.au/port-customers-phone-number As far as I can see, the rules of checking the validity of the request ONLY APPLY to porting and not SIM swapping. If the same rules were applied to SIM swapping, this would never have occurred to me. Conclusion: the ACMA rules fall short in ensuring adequate security by not mandating the same security measures apply to SIM swapping as they do to porting.

Related Stores

ALDImobile
ALDImobile

Comments

        • +2

          don't you need the name and bday to match - how do they know the name and bday of the owner of a random number if they are just trying random numbers?

          • @FutureTech: I've got a second secret mobile number that I only use for banking, super and centrelink. The date of birth associated with that mobile number is made up, to reduce the risk of it being somehow ported.

    • disable mobile number 2FA verification is the hardest part. I've found most services that allow app-based 2FA such as Google Auth or Authy often have SMS as the 'back-up' 2FA and you can't change it. Absolutely shithouse.

  • -1

    Sounds like an inside job. Somebody who has had access to your phone. NEVER keep passwords on your phone. You should have nothing more than password reminders

  • -3

    Use an easy password to remember for websites you don't mind being hacked. But use difficult, but different passwords for services that you don't want to be hacked. In this way, you don't have to remember as many passwords, only the ones you need to remember.

    • +3

      No, use a password manager. If you have good password hygiene there's no way you can remember all of your passwords

  • So they hackers need quite a bit of info including who your mobile provider is. Seems like you are going to have more issues in future as they seem to have quite a bit of info on you. Keep safe.

  • +1

    So if I have this correct

    • Someone has your password / passwords most likely from an online dump
    • A password and your email address was used for Aldimobile login
    • Someone's used this available info to log into your Aldi account and transfer the number to a new aldi Sim. Which bypasses the port verification safety protocol.
    • Once ported. Attempted to log into your bank's using the mobile 2FA

    Damn. I never thought about this as a loophole for hackers. Is assumed any change to a new SIM was verified. But I've never done a same service transfer before so didn't know that it didn't require verification.
    This would also mean that they don't need your full info like DOB which is also needed as a verification to port.

    Very clever and sneaky..

    Anyway it's a good point to make to everyone to make sure your passwords are unique for sensitive sites.

    • This would also mean that they don't need your full info like DOB which is also needed as a verification to port.

      That's for prepaid accounts. For post paid, your account number with the losing provider is required.

      Once ported. Attempted to log into your bank's using the mobile 2FA

      So, that means the hacker has OP's bank login details as well. OP needs to examine how such details were compromised in the first place.
      Are they reusing email addresses and passwords across multiple sites (which is a definite no no for those who are security conscious)?

      • They are not porting you to a new provider. They are changing your number at the current provider.

      • Using the phone number combined with other personal details, they can probably reset access to internet banking over the phone.

        • Just tried hacking myself with one of my banks.

          I didn't get very far (pretending to be a hacker with access to my number). Because I pretended not to know the security code on the account, I was asked to see a branch during opening hours to verify my ID (in order to set a new security code).

          I guess the answer is depends on the bank, and how much of your ID has been compromised.

    • Agree. Likely that they used "credential stuffing" into Aldimobile and your username-password combo (that was likely part of a leak) happened to work.

  • I recently helped a friend out who almost got stung for 2x 5 figure amounts being transferred from their bank accounts.

    Scumbags ported their numbers and then just called their financial institution to do a reset on their account. They kindly let them do a reset and bam they were in.

    They have since moved their banking elsewhere.

    If your bank does not have a proper 2FA application or the ability to use one (not SMS), you should move your banking to someone else.

    Or, just be poor and not have any money to transfer. That works also.

    • Which bank was the culprit? Where did they went to afterwards?

    • Other than email and SMS what's another form of effective 2fa?

    • This is exactly what I'm debating with someone above. It can and does happen.

  • It wouldn't have anything to do with this "Joker Virus" - https://www.entrepreneur.com/amphtml/381038

    • +1

      no, I don't have an Android phone!

  • @GOCAT9

    I Was Illegally Ported - How to Avoid This?

    The title of this thread is blatantly deceptive (i.e. click-bait).

    You number was not illegally ported. Your SIM was swapped out due to your ALDI Mobile account being hacked.

    • +2

      Yes, that's correct, in hindsight only, However, initially it appeared to be ported at the time the post was created, it was only after investigation that we realised that a SIM swap had occurred. So at the time of creation, it was not deceptive!

      • So at the time of creation, it was not deceptive!

        Okay, point taken. I would have assumed the same if my SIM status changed to No Service or SOS (within an area where service is available for the carrier concerned).

        You can always ask the mods to update the title.

        by a cyber attack on several different banks I use. I was alerted to these attacks by automated emails that the banks sent me where funds were attempted to be transferred from different accounts etc.

        This is what I am most curious about.

        a) Other than the SMS token, the hacker would also need to know your internet banking details, right?
        How were these compromised?

        b) You mention multiple banks. Are you reusing passwords across all of these banks?

  • Sorry to hear. This is what concerns me about some banks using SMS authentication as the primary login method rather than as 2FA

  • +1

    The reason that they cannot do the same for SIM replacements (SIM Swap) on the same network is:

    In the event of a legitimate SIM replacement from ALDI. How could you confirm via text on your phone that you are happy to authorise a replacement SIM.?Considering that you would have lost the sim and presumably not have it in your phone? That is why you want a replacement.

  • I am still curious how they got access to your bank information with only phone number. Did they call the bank with your phone and used social engineering to get access? They would still need to know some information about you, which I assume they had since they had access to your Aldi mobile.

    I would be good to know the bank you use. If they have bad security, then this would be good for everyone to know to avoid.

    • Not sure about op, but when I used them previously, 86400 used only your mobile number for sms login and nothing else. Up bank only adds a 6 digit code on top of this which still seems very insecure. So some banks have this vulnerability

    • As I wrote above - looks like pc was hacked and all bank information was collected. As OP said - few attempts were made with different bank accounts.
      It's not possible to get all this info just from one number.
      They had the info and after that did SIM swap to be able to login into banks.

  • I know Telstra made changes a while back as I did my own SIM swap, connected to their 24x7 chat and did the SIM swap, as part of that they sent an SMS code which I had to provide back to them. Granted, if you were swapping because you didn't have access to the old one, they'd probably go to the next steps for ID verification. I don't know what these steps are though.

    At some point, you must have fallen victim to phishing, provided details for them to be able to do this. For them to know what telco you had your service with, what banks to attack etc. tells me they probably had access to your primary email service to see where you were getting emails for these sorts of services.

    Something that has become standard practice for me, using a password manager with unique passwords for every site/service and enabling 2FA for every site that allows it. If one site becomes compromised, or for whatever reason you hand over a password through phishing, it will only be for a single website, not all of them.

    I've had a few small attacks on different services in the past. Generally through my details being obtained through website data breaches (this is becoming the most common one these days) where you have no control over the loss or handing over of your information. Thankfully, due to having unique passwords everywhere, their attempted logins failed and they would've needed to pass 2FA on these particular sites as well even if they had the correct password.

    • The 2FA Telstra use is not 'always' used. Generally from what ive seen if there is any sort of pushback from the customer the consultant will ask for a different type of identification eg. dob.

      If this is refused, the scammers will just keep getting new consultants on Online Chat until they find someone that will do it for them.

  • i would suggest email was probably hacked first. They took their time and went through your emails and probably got you account details for all you banks. and phone services. once they had access to that they take over your phone via a sim swap. and start doing resets for all of the banking stuff. not hard and something that can obviously snowball quite quickly

    • -1

      You can't get any bank account info from email address. PC was hacked to get username/passwords.

      • -1

        Not true, sounds like this person probably uses similar logon details for multiple/many/all sites to be attacked like this.

        Possible PC hack with keylogger etc. but most probably fallen victim to a phishing scam for some details and emails probably monitored for other sites (banks/phone service etc.)

        • All bank accounts are with client number and password. There is no email used, that's I am thinking PC is hacked. You can't get easily username or password just using email.

  • +1

    Unfortunately there's nothing you can really do to stop an illegal phone number port from happening if the carrier doesn't follow proper procedure like they should. What you can do to protect yourself as much as possible if it does happen is to use app or hardware token based Two Factor Authentication where ever possible. SMS 2FA isn't secure but is still widely used, even by our own Federal Government, which is why the the fraudsters still use this number port method. You want 2FA on your financial service providers and email logins as a minimum & not having SMS 2FA as a option for password recovery to these services either. This is what they are looking to do. Port your number so they can get a SMS code for a email password reset. Once they get into your email & can receive your SMS messages they can do a lot of damage very quick by doing password reset requests. Then follow the other basic security best practices of using strong passwords, not reusing passwords, use a password vault etc.

  • Lol Aldi, on the app you need to put in a pin before recharging (not logging in, it stays logged in), I guess to avoid someone getting into your account and spending heaps of money? But then if you go into settings, you can turn it off without a pin and then proceed with the recharge. I haven't recharged in a while so I don't know if this is still the case.

  • This is why I am looking for esim

  • +1

    Is OP pushing blame onto others?
    This situation is unfortunate and can happen to any of us but at some point OP has been lax with their security and provided their personal information to a hacker to enable them to do the port.
    Rarely is this information hacked, often the owner is tricked into handing it over.
    A common method at the moment is a fake SMS from the Telco wanting to reconfirm details including drivers licence and banking details.
    OP needs to use this as a lesson to improve security.

  • All I can say is good save OP. You're lucky.

    The only good options I see to avoid is to keep a separate phone number for banking. Use a different number for your primary use. This potentially shields your banking number from getting out in the wild. This however will not work if the hack was through a banking or credit file data exposure because that would include your banking phone number.

    It's also prudent to have 2 numbers on file with the bank.

  • +1

    It's tricky. The porting rules cannot be applied to a sim swap. After all, most sim swaps are performed because the individual has lost their sim or it has stopped working.

    Only way around it would be to require 2FA (with an authenticator app) to log into your account portal to initiate the swap. Not sure how much that would take to implement.

  • Replacement sim does not required the otp
    However they might have send you the email code?

  • -1

    I guess all you can do is use standard measures to prevent identity theft, change passwords, don't use similar combos etc.

    Things like this do make me wish Australian businesses, banks, government, financial institutions etc. genuinely understood proper 2 FA and security rather than just sending some stupid message to your number which pops up right on the screen 90% of the time.

  • I feel for you OP, it's a frustrating situation to be in.
    On a separate note, I ported out of Kogan last night to Circles and strangely, I didn't get any confirmation SMS or even email from Kogan. All I got was an SMS from circles stating 'enter code xxxxx for circles verification' whereas when going from telstra to Kogan last year I got all sorts of emails andSMS. Anyone else had similar experience?

  • +1

    If you are with Telstra you can request online access to your account removed. This means that if you ever require something from Telstra such as a sim replacement or new phone etc it will need to be purchased in person at a Telstra store. Ive seen this done before for both consumer and business customers who have been victims of scams in the past.

  • ACMA rules do not fall short, SIM swapping has to be possible for lost/broken sims. That would create an awful nightmare for legitimate cases.

    • Further research has led me to believe that there is a loophole in the ACMA rules for providers in how number porting must occur wrt security.

    • 100% wrong!!
      If Aldi had sent an SMS to the original, allegedly lost or broken Sim, before the Sim swap, then this would never have occurred to me as I would have had an opportunity to stop it. If the original Sim was lost or broken, then yes no response to the SMS would have occurred and then the Sim swap would’ve proceeded legitimately. Does that make sense to you now?

      ACMA rules currently states that the telco does not have to SMS for a Sim swap only assume Port. Furthermore Acma have agreed this is a vulnerability to everybody’s phone number and they are looking to change the rules!!

      • If Aldi had sent an SMS to the original, allegedly lost or broken Sim, before the Sim swap, then this would never have occurred to me as I would have had an opportunity to stop it.

        What if the SMS was sent while you were in a cinema, asleep, while you were out for a jog, while you were camping over a long weekend, etc? How many hours or days should the telco wait before proceeding?

        • Ok, fair comment, but what if I WAS immediately available-I could have stopped it. So maybe, the policy should be, they send and wait say 1 hour before porting/sim swapping etc. Any time period would be better than no SMS as it would stop many but maybe not all illegal activity!

  • +1
  • After they got your phone number…. How did they get access to your bank accounts?

  • Your strongest password should be your telco log-in.

    If you haven't already done so, anyone reading this should change their telco log-ins (and their parents', siblings', partner's, etc) right now.

  • do you have the same email address for all of your accounts?

  • Thanks for all the useful info - the simplicity of this attack really blows my mind…

    On the upside, I've now made my telco provider password much stronger and got them to put a PIN on my account to try and prevent a sim swap attack. They were actually really helpful. Who knows if it will help but it's better than nothing I guess?

  • This has just happened to my friend.
    one important old but gold security feature everyone needs to start using again is setting sim pin
    So if you lose your phone which is locked (hopefully) they can't just insert the sim in another device and use it.

    • So if you lose your phone which is locked (hopefully) they can't just insert the sim in another device and use it.

      Or, you can call up your telco immediately to place a temporary block on the lost SIM.

      How does setting a SIM PIN help with relocating a number onto a new SIM on the same network, which is what happened to the OP?

  • This just happened to my wife !! woke up to her phone having no signal, they were straight onto the bank trying to gain access but luckily they have it on hold pending ID

    Called Telstra and they have been absolutely (profanity) useless, thinking its phone reception issues, Saying they could call back within 24-48 hours ….. We called the bank and got through in 8 mins.. They failed the questions so luckily the bank has been frozen find out tomorrow if they managed to transfer anything out.

    Telstra's fraud department is only Mon-Fri….Pathetic !

    She had no text either

  • Telstra is now working with banks and other orgs to stop illegal porting and sim swapping. At last something is being done.

    https://www.gizmodo.com.au/2022/01/telstra-sim-swap-porting-...

Login or Join to leave a comment