Preventing Unauthorised Porting by Fraudsters

PegasusBruce on 10/08/2023 - 21:39

Hey guys, this is not a bargain question but it's about saving hard earned money too!

I've been reading so much lately about scammers and how they steal your money.

One recurrent thing that happens is usually the victims lose their mobile number in a process called unauthorised mobile number porting.

So I did some reading and there is mention that you could try to prevent that porting by requesting your telco to set a PIN on your account.

I'm with Coles mobile, is there such a way to set a PIN?

Is there any other way people are aware of to prevent porting? (apart from the usual don't press on unknown links etc)

Mobile

Comments

  • pencilman on 10/08/2023 - 21:45

    I was wondering exactly this today too!

    Basically doesn't seem to a way to stop a request to port if the request has correct details, either the DOB of the owner of or account number.

    The only defence these days is that the requesting telco needs to confirm the request by SMS to the mobile to confirm ownership prior to accepting to request the transfer.

    I think needs to be stronger and that we should be able to lock the account to prevent porting, but apparently problematic as the regulations state that the telco cannot be obstructive in the porting.

    • Stopback on 10/08/2023 - 21:48
      +1

      Should be moving to a app checking.

      But if you lost your SIM. How couod you replace it if asked for sms

      • dcep on 10/08/2023 - 22:27

        That's also another way fraudster getting your number.

        Remember there was a case of someone lost their number as fraudster went online chat with Optus for SIM replacement, managed to get new e-SIM issued after passing verification and proceed to empty their bank accounts.

  • alvian on 10/08/2023 - 21:52
    +6

    Telcos have been required by law to verify the porting request came from the owner before commencing number porting since 2020. The exact process varies between telcos. — https://www.acma.gov.au/port-customers-phone-number

    • coffeeinmyveins on 11/08/2023 - 08:48

      ah yes because things written in law are always adhered to by large corporations, especially telcos. Give me a break.

      There are always stories of peoples phones being ported by scammers.

      • CrowReally on 11/08/2023 - 09:14
        -1

        you make a great point coffee, we should abolish that law

        removing requirements for telcos to check before porting will probably vastly reduce the amount of porting that happens. that's how making things easier to do works, right? it stops happening?

        • coffeeinmyveins on 11/08/2023 - 10:21

          Nice strawman there buddy. I never said to abolish anything, I just said that just because it's a law, doesn't mean companies will follow it, as we have seen with all the fun data breaches.

          • CrowReally on 11/08/2023 - 10:29
            -1

            @coffeeinmyveins: Is what you said ("just because it's a law, doesn't mean people will follow it") an observation that can be applied to all laws?

            Is it a useful comment in any discussion?

            Nice contribution there, buddy,

  • oscargamer on 10/08/2023 - 22:08

    From someone that has recently been 'ported' and had about $20k stolen from bank accounts, this is very real.

    My porting was done by the hacker getting a replacement E Sim, on my same provider, aldimobile.

    That then allowed them to receive all those 2FA messages without my knowledge, and take lots and lots of my hard earned money.

    2FA is hopeless

    Telco providers are actually hampered by legislation, that requires users to have almost free access to do what they want .

    Won't bore you with all the details, just PLEASE don't rely on 2FA and DON'T share the same password for online banking with any other online entity.

    • dcep on 10/08/2023 - 22:31
      +4

      Won't bore you with all the details

      That's exactly what we want , the details.

      How was it resolved if it did ?

      Did Aldimobile deny all responsibility and pin the blame on you?

      Did Aldimobile implement precautionary measure on this loophole after your case ?

    • askvictor on 10/08/2023 - 22:33
      +5

      2FA is great if you can secure the 2nd factor; in the case of an SMS-based 2FA system, the second factor is not your phone, but your phone number. Other 2FA systems (e.g. TOTP systems like Google/MS Authenticator, Authy) or pop-up phone authentication require physical access to your phone, or a much more sophisticated attack to capture your phone screen in realtime, or a social engineering attack.

      2FA itself is not the problem, just SMS-based 2FA is easily circumvented. Use 2FA and good, unique passwords (use a notebook or password manager, but guard the hell out of your password manager, and definitely use 2FA for your password manager).

      • ssfps on 11/08/2023 - 00:34
        -3

        2FA is crap. Let me upload an ssh key and be done with this shit - at least for important accounts like bank, email.

    • dcep on 10/08/2023 - 22:35
      +10

      My porting was done by the hacker getting a replacement E Sim, on my same provider, aldimobile.

      Wait a minute, Aldimobile don't even support e-SIM yet?

      We may support eSIM, but we don’t have a date yet. Keep checking this site for updates.
      https://www.aldimobile.com.au/blogs/using-and-managing-your-…

    • SBOB on 10/08/2023 - 22:41
      +3

      DON'T share the same password for online banking with any other online entity.

      This should be lesson one.

      2FA, via either the weaker SMS or alternate much stronger methods like app notification approvals or authenticator keys, shouldn't be an excuse or reason to make the first primary authenticated factor (ie your password) poor.

      If you aren't using per site unique passwords these days ( and ideally ones you'd never remember and stored in a password manager) , especially for anything that's not just a throw away who cares website, it's time you should be.

    • coffeeinmyveins on 11/08/2023 - 08:49

      Won't bore you with all the details, just PLEASE don't rely on 2FA and DON'T share the same password for online banking with any other online entity.

      You haven't offered an alternative solution for 2FA that solves a myriad of other attack vectors.

      DON'T share the same password for online banking with any other online entity.

      So you got money stolen because you use a common password, gotcha.

    • AustriaBargain on 11/08/2023 - 09:40

      I wonder if sticking with big players like Telstra offers some more protection.

    • [Deactivated] on 11/08/2023 - 12:59

      2FA is certainly not hopeless. The hacker also got your usernames and passwords. Sounds like you had a bigger compromise where they got lots of your credentials. If you are reusing the same password across many services then you made their work a lot easier. If you had your credentials in a text file on your computer and they got access to it, then you made their work a lot easier etc etc.

      I suggest you read these articles and rethink where you can improve: https://www.cyber.gov.au/protect-yourself

  • kipps on 11/08/2023 - 08:29
    +1

    There were significant reforms to port verifications recently. You must authorise the port by text message 2 factor now. This is nowhere near as big of an issue as it was.

    • pencilman on 11/08/2023 - 10:36

      There were significant reforms to port verifications recently.

      That was the requirement for the gaining Telco to make sure that that the number belonged to the person, which most I think currently do by sending a check SMS before porting.
      But that requires due diligence from ALL the many telcos, incl small MVNOs, and there may be some that don't implement the ownership check well.

      I would prefer, as the owner of the mobile number, to have the ability to tell my telco to lock it from being ported unless I authorise it (eg. by online log in etc, similar to how we can now put a block and unblock our own credit cards by internet banking).
      The amount of potential loss if I lose control of my mobile phone number far exceeds any losses from simple credit card transactions, and I want to do everything to mitigate that.

        • pencilman on 11/08/2023 - 10:51

          Now all telcos, even MVNOs, must perform 2 factor verification for porting and anything high-risk. Before it was simply left at the gaining telco to do verification

          To my knowledge, this requirement is for the gaining telco - hence the use of the check SMS code.

          There's nothing that the losing telco has to do, or is there ?? Would be helpful if there were different checks on both sides.

          I hate that just about everything is now secured by one's mobile phone - lose that to a scammer and …….

            • pencilman on 11/08/2023 - 11:22

              @kipps:

              The losing telco has to take steps to verify that the port request has come from their customer.

              That would be good, but doesn't seem to be happening in practice.
              I ported some family members from Belong mobile to Woolworths Mobile in April 2023, and there were no security checks from Belong that I am aware of.
              Only a code which was sent by Woolworths Mobile to the mobile phone before allowing the request to transfer to proceed.

              Anyone have a different experience porting from Belong mobile?

              • kipps on 11/08/2023 - 12:05

                @pencilman: Wow, sorry, looks like I've missed a carve out under the reforms - despite port requests being a high-risk transaction the 2022 reforms later exclude MNP requests from the definition. It therefore does not apply to MNP requests. I had however earlier received communications from Telstra to the effect that they were applying it to all requests, and they in fact were doing that when I last ported.

                Inconsistency remains for MNP porting, and all the gaining provider needs to do under the standard is:

                (2) Prior to initiating the port of a mobile service number, a gaining carriage service provider must, for all customers, use at least one of the following additional identity verification processes to confirm the requesting person is the rights of use holder of the mobile service number to be ported:

                (a) confirming the requesting person has direct and immediate access to a mobile device used in association with the mobile service number to be ported;

                (b) use of a unique verification code:
                (i) which is sent by the gaining carriage service provider via SMS message to the mobile service number which is to be ported; and
                (ii) from which the gaining carriage service provider receives immediate confirmation via SMS message that the customer, or the customer’s authorised representative, has received the unique verification code;
                Note: Providers may also indicate what a customer should do if they receive an SMS message and did not request a port.

                (c) use of one or more forms of biometric data; or

                (d) where a large business customer is porting mobile service numbers under a contract with a mobile carriage service provider – confirming the requesting person is the authorised representative of the large business customer and that the requesting person has direct and immediate access to the primary number associated with the large business customer.

                ACMA obviously appreciates SIM replacements are high-risk transactions and I cannot understand why the MNP standard requires less verification.

Login or Join to leave a comment
Login Join