Number porting fraud - some ways to fix it?

Forums › New Zealand Mobile and Wireless › Number porting fraud - some ways to fix it?

boosacnoodle

963 posts

Ultimate Geek

#270303 3-May-2020 12:54

I saw this article on stuff which got me thinking - what can we do to prevent number porting fraud? Ultimately my gut feeling is an SMS alone should not be enough to reset a password online, let alone one that gives you full access to a bank account. Unfortunately, ANZ, SBS and Westpac (asks for a security question first) all allow your password to be reset over SMS with fairly minimal checks involved.

So what checks are done before your number is ported out? Only two things are checked before your number is ported. These are:

Losing carrier, i.e. the old provider
Phone number;
Depending on the account type:
- Prepaid mobiles - SIM number
- Postpay mobiles - account number

Without physically having the SIM card on-hand, in which case all bets are off anyway, it is relatively difficult to find the SIM number. I'm not aware of any provider that emails it or shows it in their online portal. However, for postpay customers, assuming your email or physical mail is compromised in some way it's quite likely that a hacker could find your bill which likely has your account number on it. Accordingly, if the hacker has access to your bill & you're on postpay - your number can now be ported out.

Some ideas to stop this: (Ordering from (IMO) best to worst)

Amend the porting process so that once the port is accepted by both carriers a txt message is sent to the number with a unique link to an online portal to confirm the port. Enable does this when you switch UFB providers and it works really because it also lets you specify the date you'd like it to happen
- Pros: Requires you to have physical access to the number to port it = significantly more secure, wouldn't require any changes on the carriers side, doesn't rely on any one carrier to securely implement it, i.e. no carrier weaknesses.
- Cons: Slightly delays the porting process
Require a unique security code for porting - similar to UDAI used for .nz domains.
- Cons: Could be a pain to securely store & transmit the information to the customer, i.e. if their online portal account got compromised
"Porting lock" on your account - similar to that used on .com domains & on credit files where any port would be automatically rejected unless you changed the flag on your account
- Cons: Could be a pain to securely store & transmit the information to the customer, i.e. if their online portal account got compromised
Require the SIM number for postpay, as it is currently for prepay

What do you think?

BlinkyBill

1443 posts

Uber Geek
Inactive user

#2475755 3-May-2020 13:03

I don’t know about the others, but for ANZ you can only change your password if you know your password; and there is an opt-in 2FA-style verification step (which everyone with a registered phone should use). Hacking in using the ‘I can’t log in’ feature requires you to enter additional details, and again, the 2FA-style option exists for verification, which is not optional.

so you cannot reset an ANZ password using just an SMS.

chevrolux

4962 posts

Uber Geek
Inactive user

#2475867 3-May-2020 15:11

It's fairly irrelevant here in NZ now that, I'm pretty sure, all our mobile carriers require you be in a store to swap sims. They won't do it over the phone.

networkn

Networkn
32350 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2475870 3-May-2020 15:14

You should NEVER use SMS as a 2FA method.

tardtasticx

3075 posts

Uber Geek

#2475876 3-May-2020 15:39

chevrolux:

It's fairly irrelevant here in NZ now that, I'm pretty sure, all our mobile carriers require you be in a store to swap sims. They won't do it over the phone.

Yeh but the problem is that doesn't apply for porting numbers, there's no verification other than providing somewhat easily obtainable information (SIM# or Account#, and the losing service provider name). If you have those details you can take the number to any carrier in NZ no questions asked, and it's entirely automated.

SIM swaps between the same carrier can be easily controlled by each carrier implementing their own rules (like visits to stores), but it's inconsistent such as the case with Skinny who I believe don't have any rules like a store visit being required and the SIM swap can be done online.

Andib

1363 posts

Uber Geek

ID Verified

Trusted

#2475879 3-May-2020 15:58

networkn:

You should NEVER use SMS as a 2FA method.

I disagree with this statement, yes SMS 2FA is one of the worst of the MFA options BUT... it’s a hell of a lot better than no MFA at all. Having to fraudulently sim swap/port a number is too much effort for most people looking for easy targets.

I do wish banks would support more modern MFA options.

<#
.DISCLAIMER
Anything I post is my own and not the views of my past/present/future employer.
#>

BlinkyBill

1443 posts

Uber Geek
Inactive user

#2475880 3-May-2020 15:59

networkn:

You should NEVER use SMS as a 2FA method.

Why not? If you changed your password (something you know you did) and the service provider verifies to your cellphone (something you told them you have), what’s wrong with that?

richms

28169 posts

Uber Geek

Trusted

Lifetime subscriber

#2475889 3-May-2020 16:16

BlinkyBill:

networkn:

You should NEVER use SMS as a 2FA method.

Why not? If you changed your password (something you know you did) and the service provider verifies to your cellphone (something you told them you have), what’s wrong with that?

Because as that article demonstrates, you may not have your phone anymore and not know it for some time.

Also the sms codes are at the risk of an app on the phone sending them off to the scammers and hiding them from the phones owner. It is not a secure medium at all and there are much better systems. Using a phone number for authentication is basically outsourcing it to a company that TBH is not really that good at it.

I have a specific 2 factor phone that I dont use for anything else. The annoying thing is so many places do not allow for mulitple phone numbers to be provided. Or if they do its a "home" and a "mobile" which have limits on what formats can be entered and even if you can put a mobile in as the home, they will not SMS to it. Also they will not 2 factor or even notify you about things over any other medium because its "not secure" - I would trust the security of most messanging apps more than SMS.

Richard rich.ms

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

boosacnoodle

963 posts

Ultimate Geek

#2475891 3-May-2020 16:18

networkn:

You should NEVER use SMS as a 2FA method.

I'd agree but unfortunately a lot of banks require a mobile phone number on the account now. That same number is also often used for 2FA with little choice. I wish banks would introduce TOTP but I can't think of any. The only two that have something non-SMS based that occur to me are BNZ (NetGuard = card with digits on it) and Rabobank (a wee-calculator like-device you put a PIN into for OTP).

chevrolux:

It's fairly irrelevant here in NZ now that, I'm pretty sure, all our mobile carriers require you be in a store to swap sims. They won't do it over the phone.

All it takes is one staff member to make a mistake or a "mistake". Unfortunately its happened numerous times already here in NZ before and very widely overseas. After all, policy is not infallible. In any case, what happened here wasn't a SIM swap but rather a fraudulent port out. Unfortunately there is very little protection for this kind of attack.

You also may not be aware as it hasn't really been publicised that widely (probably for PR reasons I'd imagine) but I am aware of a number of cases involving the larger carriers in NZ that have paid out settlements over failings with regards to the SIM swap policy not being followed which subsequently caused serious financial harm to the involved customers. These were not small numbers either - I'm taking six $ digits.

mudguard

2114 posts

Uber Geek

#2475914 3-May-2020 17:12

What I don't understand about the number porting, is how are they getting any of the customer's bank details?