PSA: mobile number ported and bank account drained

Forums › Android › PSA: mobile number ported and bank account drained

Batman

Mad Scientist
20924 posts

Uber Geek

Trusted

Lifetime subscriber

# 243802 2-Jan-2019 17:27

I heard from a friend that their direct relation had their phone number ported to another carrier, by thieves and then their bank account was drained after using the phone number as bank account verification for log in.

How does one prevent that?

(Just realised while typing that this may not be android related, though the phone was an android)

Involuntary autocorrect in operation on mobile device. Apologies in advance.

1 | 2

8874 posts

Uber Geek

Lifetime subscriber

# 2153399 2-Jan-2019 17:32

i highly doubt thats the full story

banks are more careful than that, my bank requires a pin number for over the phone dealings along with the account number.

Batman

Mad Scientist
20924 posts

Uber Geek

Trusted

Lifetime subscriber

# 2153416 2-Jan-2019 17:49

Well I checked out the story on the Internet and it's been done many times around the world

Involuntary autocorrect in operation on mobile device. Apologies in advance.

jamesrt

847 posts

Ultimate Geek

Trusted

Subscriber

# 2153417 2-Jan-2019 17:49

I guess technically if the bank uses an SMS as a 2-factor authentication, it may be possible to hijack that.

Regular password changes and strong passwords would help prevent this; and a password manager would assist with that.

Also paging @michaelmurfy; who may wish to comment further?

TENKAN

223 posts

Master Geek

# 2153419 2-Jan-2019 17:50

Is that actually possible? I mean you would need the sim card pin number as well to port over wouldn't you? With 2degrees you need this plus the sim card serial numbers, as previously mentioned sounds like a bit more to this.

tenkan

gehenna

5778 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

# 2153421 2-Jan-2019 17:58

9 people support this post

Friend of a friend stories rarely turn out to be accurate. Even friend stories can be 50/50 lol

loceff13

794 posts

Ultimate Geek

# 2153425 2-Jan-2019 18:05

TENKAN: Is that actually possible? I mean you would need the sim card pin number as well to port over wouldn't you? With 2degrees you need this plus the sim card serial numbers, as previously mentioned sounds like a bit more to this.

When I lost my SIM on Spark I had to provide my current mobile ph number, name, DOB and the model of phone I used that SIM for and that was deemed enough to transfer it to a new SIM for me, pretty easy for someone close to you to know.

So it likely depends on the provider and the details they hold for that account.

richms

22524 posts

Uber Geek

Trusted

Subscriber

# 2153430 2-Jan-2019 18:16

Unless it has changed, a port is easier, from a postpay plan just needing the phone and account numbers.

I have had a number ported away from me in the past, although I think it was a friend of a friend being a dick since we disliked each other rather than aiming for anything to try to get access to banking (that number wasn't used for any 2 factor anyway)

At the end of the day, banks have to guarantee money that is with them, and if they were not happy with the security of the SMS 2 factor they shouldnt be offering it. As it is clear that banks dont give 2 craps about security then I guess nothing will happen till the costs for fraud like this exceed the costs to make it secure.

Richard rich.ms

scuwp

3209 posts

Uber Geek

# 2153470 2-Jan-2019 18:56

One person supports this post

It’s on the internet, it must be true.

Always be yourself, unless you can be Batman, then always be the Batman

Batman

Mad Scientist
20924 posts

Uber Geek

Trusted

Lifetime subscriber

# 2153473 2-Jan-2019 19:06

One person supports this post

richms:

Unless it has changed, a port is easier, from a postpay plan just needing the phone and account numbers.

I have had a number ported away from me in the past, although I think it was a friend of a friend being a dick since we disliked each other rather than aiming for anything to try to get access to banking (that number wasn't used for any 2 factor anyway)

At the end of the day, banks have to guarantee money that is with them, and if they were not happy with the security of the SMS 2 factor they shouldnt be offering it. As it is clear that banks dont give 2 craps about security then I guess nothing will happen till the costs for fraud like this exceed the costs to make it secure.

Reading more into it, 10,000,000 + has been stolen in Australia using this trick because by law an Aussie carrier is required to port within 3 hours of a request being made. (I guess the thieves know that in a 3 hour window from port request they can gain access, giving them a window to concentrate on)

Apparently T mobile has a porting PIN that you can set up so that porting your number requires the PIN.

I don't think my Skinny number has a porting PIN.

Involuntary autocorrect in operation on mobile device. Apologies in advance.

michaelmurfy

Mr Snotty
8876 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

# 2153478 2-Jan-2019 19:21

2 people support this post

There will be more to this.

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

There is also transfer limits on most accounts - by default, this is $1000.

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

But really - I call BS here. Also, on that note this is why you don't use POLi!

Batman

Mad Scientist
20924 posts

Uber Geek

Trusted

Lifetime subscriber

# 2153479 2-Jan-2019 19:26

https://www.google.com/search?q=australia+number+port+bank+steal

Involuntary autocorrect in operation on mobile device. Apologies in advance.

Batman

Mad Scientist
20924 posts

Uber Geek

Trusted

Lifetime subscriber

# 2153481 2-Jan-2019 19:29

michaelmurfy:

There will be more to this.

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

There is also transfer limits on most accounts - by default, this is $1000.

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

But really - I call BS here. Also, on that note this is why you don't use POLi!

I understand that yes they need a lot more than just your phone number, and they would have gained them already. But let's say they do and they need your number, there should be a way to prevent our numbers being ported so easily.

Involuntary autocorrect in operation on mobile device. Apologies in advance.

kyhwana2

2458 posts

Uber Geek

# 2153483 2-Jan-2019 19:46

michaelmurfy:
There will be more to this.

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

There is also transfer limits on most accounts - by default, this is $1000.

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

But really - I call BS here. Also, on that note this is why you don't use POLi!

Bank phishing and banking trojans are sophisticated enough to get all of this.

If there is money involved, SMS 2FA is NOT sufficient, as attackers can port or intercept SMS 2FA token

https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoins

blakamin

4431 posts

Uber Geek
Inactive user

# 2153484 2-Jan-2019 19:46

michaelmurfy:

There will be more to this.

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

There is also transfer limits on most accounts - by default, this is $1000.

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

But really - I call BS here. Also, on that note this is why you don't use POLi!

But if the customer has ever upgraded their limit (which most people with a need to transfer more than $1k will do. For instance, I transfer more than that to my Mrs every fortnight just to pay bills, Would be more if I got paid monthly).

What's onlinecode?? I bank with ANZ, have changed phones, and ported about 8 times, in the last 4 years alone and have never heard of it. If they have my number, they have my SMS verification.

I transfered/juggled many many thousands when we bought our last house to cover stamp duty and other things when the was some issues with another bank account... Nothing ever triggered any fraud things.

Oh, and while you're there, tell head office in Oz that i'm seriously unimpressed with them holding my wages hostage overnight (or until tuesday if my pay goes in on a saturday) for them to "clear" from a company that also banks with ANZ. It's a rort and they're bastards.

Bung

2998 posts

Uber Geek

# 2153491 2-Jan-2019 20:12

2 people support this post

michaelmurfy: Also, on that note this is why you don't use POLi!

You saying "don't use POLi" is like whispering into a thunder storm. The Banks are letting it happen what signal does that send?

1 | 2