Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsAndroidPSA: mobile number ported and bank account drained


Mad Scientist
19524 posts

Uber Geek
+1 received by user: 2581

Trusted
Lifetime subscriber

Topic # 243802 2-Jan-2019 17:27
Send private message quote this post

I heard from a friend that their direct relation had their phone number ported to another carrier, by thieves and then their bank account was drained after using the phone number as bank account verification for log in.

 

How does one prevent that?

 

(Just realised while typing that this may not be android related, though the phone was an android)




Swype on iOS is detrimental to accurate typing. Apologies in advance.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
8005 posts

Uber Geek
+1 received by user: 2661

Subscriber

  Reply # 2153399 2-Jan-2019 17:32
Send private message quote this post

i highly doubt thats the full story

 

banks are more careful than that, my bank requires a pin number for over the phone dealings along with the account number.



Mad Scientist
19524 posts

Uber Geek
+1 received by user: 2581

Trusted
Lifetime subscriber

  Reply # 2153416 2-Jan-2019 17:49
Send private message quote this post

Well I checked out the story on the Internet and it's been done many times around the world




Swype on iOS is detrimental to accurate typing. Apologies in advance.

 
 
 
 


781 posts

Ultimate Geek
+1 received by user: 246

Trusted
Subscriber

  Reply # 2153417 2-Jan-2019 17:49
Send private message quote this post

I guess technically if the bank uses an SMS as a 2-factor authentication, it may be possible to hijack that.

Regular password changes and strong passwords would help prevent this; and a password manager would assist with that.

Also paging @michaelmurfy; who may wish to comment further?

172 posts

Master Geek
+1 received by user: 6


  Reply # 2153419 2-Jan-2019 17:50
Send private message quote this post

Is that actually possible? I mean you would need the sim card pin number as well to port over wouldn't you? With 2degrees you need this plus the sim card serial numbers, as previously mentioned sounds like a bit more to this.

5252 posts

Uber Geek
+1 received by user: 1325

Moderator
Trusted
Lifetime subscriber

  Reply # 2153421 2-Jan-2019 17:58
9 people support this post
Send private message quote this post

Friend of a friend stories rarely turn out to be accurate. Even friend stories can be 50/50 lol

720 posts

Ultimate Geek
+1 received by user: 164


  Reply # 2153425 2-Jan-2019 18:05
Send private message quote this post

TENKAN: Is that actually possible? I mean you would need the sim card pin number as well to port over wouldn't you? With 2degrees you need this plus the sim card serial numbers, as previously mentioned sounds like a bit more to this.

 

 

 

When I lost my SIM on Spark I had to provide my current mobile ph number, name, DOB and the model of phone I used that SIM for and that was deemed enough to transfer it to a new SIM for me, pretty easy for someone close to you to know.

 

 

 

So it likely depends on the provider and the details they hold for that account.

21728 posts

Uber Geek
+1 received by user: 4514

Trusted
Subscriber

  Reply # 2153430 2-Jan-2019 18:16
Send private message quote this post

Unless it has changed, a port is easier, from a postpay plan just needing the phone and account numbers.

 

I have had a number ported away from me in the past, although I think it was a friend of a friend being a dick since we disliked each other rather than aiming for anything to try to get access to banking (that number wasn't used for any 2 factor anyway)

 

At the end of the day, banks have to guarantee money that is with them, and if they were not happy with the security of the SMS 2 factor they shouldnt be offering it. As it is clear that banks dont give 2 craps about security then I guess nothing will happen till the costs for fraud like this exceed the costs to make it secure.




Richard rich.ms

3127 posts

Uber Geek
+1 received by user: 1600


  Reply # 2153470 2-Jan-2019 18:56
One person supports this post
Send private message quote this post

It’s on the internet, it must be true.




Always be yourself, unless you can be Batman, then always be the Batman



Mad Scientist
19524 posts

Uber Geek
+1 received by user: 2581

Trusted
Lifetime subscriber

  Reply # 2153473 2-Jan-2019 19:06
One person supports this post
Send private message quote this post

richms:

 

Unless it has changed, a port is easier, from a postpay plan just needing the phone and account numbers.

 

I have had a number ported away from me in the past, although I think it was a friend of a friend being a dick since we disliked each other rather than aiming for anything to try to get access to banking (that number wasn't used for any 2 factor anyway)

 

At the end of the day, banks have to guarantee money that is with them, and if they were not happy with the security of the SMS 2 factor they shouldnt be offering it. As it is clear that banks dont give 2 craps about security then I guess nothing will happen till the costs for fraud like this exceed the costs to make it secure.

 

 

Reading more into it, 10,000,000 + has been stolen in Australia using this trick because by law an Aussie carrier is required to port within 3 hours of a request being made. (I guess the thieves know that in a 3 hour window from port request they can gain access, giving them a window to concentrate on)

 

Apparently T mobile has a porting PIN that you can set up so that porting your number requires the PIN.

 

I don't think my Skinny number has a porting PIN.




Swype on iOS is detrimental to accurate typing. Apologies in advance.

Mr Snotty
8194 posts

Uber Geek
+1 received by user: 4191

Moderator
Trusted
Lifetime subscriber

  Reply # 2153478 2-Jan-2019 19:21
2 people support this post
Send private message quote this post

There will be more to this.

 

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

 

There is also transfer limits on most accounts - by default, this is $1000.

 

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

 

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

 

But really - I call BS here. Also, on that note this is why you don't use POLi!

 

 




Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial



Mad Scientist
19524 posts

Uber Geek
+1 received by user: 2581

Trusted
Lifetime subscriber

  Reply # 2153479 2-Jan-2019 19:26
Send private message quote this post

https://www.google.com/search?q=australia+number+port+bank+steal




Swype on iOS is detrimental to accurate typing. Apologies in advance.



Mad Scientist
19524 posts

Uber Geek
+1 received by user: 2581

Trusted
Lifetime subscriber

  Reply # 2153481 2-Jan-2019 19:29
Send private message quote this post

michaelmurfy:

 

There will be more to this.

 

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

 

There is also transfer limits on most accounts - by default, this is $1000.

 

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

 

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

 

But really - I call BS here. Also, on that note this is why you don't use POLi!

 

 

 

 

I understand that yes they need a lot more than just your phone number, and they would have gained them already. But let's say they do and they need your number, there should be a way to prevent our numbers being ported so easily.




Swype on iOS is detrimental to accurate typing. Apologies in advance.

2452 posts

Uber Geek
+1 received by user: 147


  Reply # 2153483 2-Jan-2019 19:46
Send private message quote this post

michaelmurfy:

There will be more to this.

 

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

 

There is also transfer limits on most accounts - by default, this is $1000.

 

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

 

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

 

But really - I call BS here. Also, on that note this is why you don't use POLi!

 

 

 

 

Bank phishing and banking trojans are sophisticated enough to get all of this.

 

 

If there is money involved, SMS 2FA is NOT sufficient, as attackers can port or intercept SMS 2FA token

 

https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoins

 

Murray River
4428 posts

Uber Geek
+1 received by user: 1355

Trusted
Subscriber

  Reply # 2153484 2-Jan-2019 19:46
Send private message quote this post

michaelmurfy:

 

There will be more to this.

 

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

 

There is also transfer limits on most accounts - by default, this is $1000.

 

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

 

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

 

But really - I call BS here. Also, on that note this is why you don't use POLi!

 

 

 

 

But if the customer has ever upgraded their limit (which most people with a need to transfer more than $1k will do. For instance, I transfer more than that to my Mrs every fortnight just to pay bills, Would be more if I got paid monthly).

 

What's onlinecode?? I bank with ANZ, have changed phones, and ported about 8 times, in the last 4 years alone and have never heard of it. If they have my number, they have my SMS verification.

 

I transfered/juggled many many thousands when we bought our last house to cover stamp duty and other things when the was some issues with another bank account... Nothing ever triggered any fraud things. 

 

 

 

Oh, and while you're there, tell head office in Oz that i'm seriously unimpressed with them holding my wages hostage overnight (or until tuesday if my pay goes in on a saturday) for them to "clear" from a company that also banks with ANZ. It's a rort and they're bastards.

2644 posts

Uber Geek
+1 received by user: 402


  Reply # 2153491 2-Jan-2019 20:12
2 people support this post
Send private message quote this post

michaelmurfy: Also, on that note this is why you don't use POLi!


 



You saying "don't use POLi" is like whispering into a thunder storm. The Banks are letting it happen what signal does that send?

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.