Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Mad Scientist
20924 posts

Uber Geek

Trusted
Lifetime subscriber

# 243802 2-Jan-2019 17:27
Send private message

I heard from a friend that their direct relation had their phone number ported to another carrier, by thieves and then their bank account was drained after using the phone number as bank account verification for log in.

 

How does one prevent that?

 

(Just realised while typing that this may not be android related, though the phone was an android)





Involuntary autocorrect in operation on mobile device. Apologies in advance.


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
8874 posts

Uber Geek

Lifetime subscriber

  # 2153399 2-Jan-2019 17:32
Send private message

i highly doubt thats the full story

 

banks are more careful than that, my bank requires a pin number for over the phone dealings along with the account number.




Mad Scientist
20924 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2153416 2-Jan-2019 17:49
Send private message

Well I checked out the story on the Internet and it's been done many times around the world




Involuntary autocorrect in operation on mobile device. Apologies in advance.


 
 
 
 


847 posts

Ultimate Geek

Trusted
Subscriber

  # 2153417 2-Jan-2019 17:49
Send private message

I guess technically if the bank uses an SMS as a 2-factor authentication, it may be possible to hijack that.

Regular password changes and strong passwords would help prevent this; and a password manager would assist with that.

Also paging @michaelmurfy; who may wish to comment further?

223 posts

Master Geek


  # 2153419 2-Jan-2019 17:50
Send private message

Is that actually possible? I mean you would need the sim card pin number as well to port over wouldn't you? With 2degrees you need this plus the sim card serial numbers, as previously mentioned sounds like a bit more to this.




tenkan

5778 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 2153421 2-Jan-2019 17:58
9 people support this post
Send private message

Friend of a friend stories rarely turn out to be accurate. Even friend stories can be 50/50 lol

794 posts

Ultimate Geek


  # 2153425 2-Jan-2019 18:05
Send private message

TENKAN: Is that actually possible? I mean you would need the sim card pin number as well to port over wouldn't you? With 2degrees you need this plus the sim card serial numbers, as previously mentioned sounds like a bit more to this.

 

 

 

When I lost my SIM on Spark I had to provide my current mobile ph number, name, DOB and the model of phone I used that SIM for and that was deemed enough to transfer it to a new SIM for me, pretty easy for someone close to you to know.

 

 

 

So it likely depends on the provider and the details they hold for that account.


22524 posts

Uber Geek

Trusted
Subscriber

  # 2153430 2-Jan-2019 18:16
Send private message

Unless it has changed, a port is easier, from a postpay plan just needing the phone and account numbers.

 

I have had a number ported away from me in the past, although I think it was a friend of a friend being a dick since we disliked each other rather than aiming for anything to try to get access to banking (that number wasn't used for any 2 factor anyway)

 

At the end of the day, banks have to guarantee money that is with them, and if they were not happy with the security of the SMS 2 factor they shouldnt be offering it. As it is clear that banks dont give 2 craps about security then I guess nothing will happen till the costs for fraud like this exceed the costs to make it secure.





Richard rich.ms

 
 
 
 


3209 posts

Uber Geek


  # 2153470 2-Jan-2019 18:56
One person supports this post
Send private message

It’s on the internet, it must be true.




Always be yourself, unless you can be Batman, then always be the Batman





Mad Scientist
20924 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2153473 2-Jan-2019 19:06
One person supports this post
Send private message

richms:

 

Unless it has changed, a port is easier, from a postpay plan just needing the phone and account numbers.

 

I have had a number ported away from me in the past, although I think it was a friend of a friend being a dick since we disliked each other rather than aiming for anything to try to get access to banking (that number wasn't used for any 2 factor anyway)

 

At the end of the day, banks have to guarantee money that is with them, and if they were not happy with the security of the SMS 2 factor they shouldnt be offering it. As it is clear that banks dont give 2 craps about security then I guess nothing will happen till the costs for fraud like this exceed the costs to make it secure.

 

 

Reading more into it, 10,000,000 + has been stolen in Australia using this trick because by law an Aussie carrier is required to port within 3 hours of a request being made. (I guess the thieves know that in a 3 hour window from port request they can gain access, giving them a window to concentrate on)

 

Apparently T mobile has a porting PIN that you can set up so that porting your number requires the PIN.

 

I don't think my Skinny number has a porting PIN.





Involuntary autocorrect in operation on mobile device. Apologies in advance.


Mr Snotty
8876 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 2153478 2-Jan-2019 19:21
2 people support this post
Send private message

There will be more to this.

 

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

 

There is also transfer limits on most accounts - by default, this is $1000.

 

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

 

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

 

But really - I call BS here. Also, on that note this is why you don't use POLi!

 

 







Mad Scientist
20924 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2153479 2-Jan-2019 19:26
Send private message




Involuntary autocorrect in operation on mobile device. Apologies in advance.




Mad Scientist
20924 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2153481 2-Jan-2019 19:29
Send private message

michaelmurfy:

 

There will be more to this.

 

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

 

There is also transfer limits on most accounts - by default, this is $1000.

 

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

 

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

 

But really - I call BS here. Also, on that note this is why you don't use POLi!

 

 

 

 

I understand that yes they need a lot more than just your phone number, and they would have gained them already. But let's say they do and they need your number, there should be a way to prevent our numbers being ported so easily.





Involuntary autocorrect in operation on mobile device. Apologies in advance.


2458 posts

Uber Geek


  # 2153483 2-Jan-2019 19:46
Send private message

michaelmurfy:

There will be more to this.

 

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

 

There is also transfer limits on most accounts - by default, this is $1000.

 

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

 

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

 

But really - I call BS here. Also, on that note this is why you don't use POLi!

 

 

 

 

Bank phishing and banking trojans are sophisticated enough to get all of this.

 

 

If there is money involved, SMS 2FA is NOT sufficient, as attackers can port or intercept SMS 2FA token

 

https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoins

 


4431 posts

Uber Geek
Inactive user


  # 2153484 2-Jan-2019 19:46
Send private message

michaelmurfy:

 

There will be more to this.

 

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

 

There is also transfer limits on most accounts - by default, this is $1000.

 

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

 

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

 

But really - I call BS here. Also, on that note this is why you don't use POLi!

 

 

 

 

But if the customer has ever upgraded their limit (which most people with a need to transfer more than $1k will do. For instance, I transfer more than that to my Mrs every fortnight just to pay bills, Would be more if I got paid monthly).

 

What's onlinecode?? I bank with ANZ, have changed phones, and ported about 8 times, in the last 4 years alone and have never heard of it. If they have my number, they have my SMS verification.

 

I transfered/juggled many many thousands when we bought our last house to cover stamp duty and other things when the was some issues with another bank account... Nothing ever triggered any fraud things. 

 

 

 

Oh, and while you're there, tell head office in Oz that i'm seriously unimpressed with them holding my wages hostage overnight (or until tuesday if my pay goes in on a saturday) for them to "clear" from a company that also banks with ANZ. It's a rort and they're bastards.


2998 posts

Uber Geek


  # 2153491 2-Jan-2019 20:12
2 people support this post
Send private message

michaelmurfy: Also, on that note this is why you don't use POLi!


 



You saying "don't use POLi" is like whispering into a thunder storm. The Banks are letting it happen what signal does that send?

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Arlo unveils its first video doorbell
Posted 21-Oct-2019 08:27


New Zealand students shortlisted for James Dyson Award
Posted 21-Oct-2019 08:18


Norton LifeLock Launches Norton 360
Posted 21-Oct-2019 08:11


Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18


Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.