Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Batman

Mad Scientist
27827 posts

Uber Geek

Trusted
Lifetime subscriber

#243802 2-Jan-2019 17:27
Send private message

I heard from a friend that their direct relation had their phone number ported to another carrier, by thieves and then their bank account was drained after using the phone number as bank account verification for log in.

 

How does one prevent that?

 

(Just realised while typing that this may not be android related, though the phone was an android)





Involuntary autocorrect in operation on mobile device. Apologies in advance.


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
Affiliate link
 
 
 

Affiliate link: LastPass securely stores your passwords and other personal data.
  #2153399 2-Jan-2019 17:32
Send private message

i highly doubt thats the full story

 

banks are more careful than that, my bank requires a pin number for over the phone dealings along with the account number.


Batman

Mad Scientist
27827 posts

Uber Geek

Trusted
Lifetime subscriber

  #2153416 2-Jan-2019 17:49
Send private message

Well I checked out the story on the Internet and it's been done many times around the world




Involuntary autocorrect in operation on mobile device. Apologies in advance.


jamesrt
1235 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2153417 2-Jan-2019 17:49
Send private message

I guess technically if the bank uses an SMS as a 2-factor authentication, it may be possible to hijack that.

Regular password changes and strong passwords would help prevent this; and a password manager would assist with that.

Also paging @michaelmurfy; who may wish to comment further?



TENKAN
314 posts

Ultimate Geek
Inactive user


  #2153419 2-Jan-2019 17:50
Send private message

Is that actually possible? I mean you would need the sim card pin number as well to port over wouldn't you? With 2degrees you need this plus the sim card serial numbers, as previously mentioned sounds like a bit more to this.

gehenna
7353 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2153421 2-Jan-2019 17:58
Send private message

Friend of a friend stories rarely turn out to be accurate. Even friend stories can be 50/50 lol

loceff13
916 posts

Ultimate Geek


  #2153425 2-Jan-2019 18:05
Send private message

TENKAN: Is that actually possible? I mean you would need the sim card pin number as well to port over wouldn't you? With 2degrees you need this plus the sim card serial numbers, as previously mentioned sounds like a bit more to this.

 

 

 

When I lost my SIM on Spark I had to provide my current mobile ph number, name, DOB and the model of phone I used that SIM for and that was deemed enough to transfer it to a new SIM for me, pretty easy for someone close to you to know.

 

 

 

So it likely depends on the provider and the details they hold for that account.


richms
25170 posts

Uber Geek

Trusted
Subscriber

  #2153430 2-Jan-2019 18:16
Send private message

Unless it has changed, a port is easier, from a postpay plan just needing the phone and account numbers.

 

I have had a number ported away from me in the past, although I think it was a friend of a friend being a dick since we disliked each other rather than aiming for anything to try to get access to banking (that number wasn't used for any 2 factor anyway)

 

At the end of the day, banks have to guarantee money that is with them, and if they were not happy with the security of the SMS 2 factor they shouldnt be offering it. As it is clear that banks dont give 2 craps about security then I guess nothing will happen till the costs for fraud like this exceed the costs to make it secure.





Richard rich.ms



scuwp
3569 posts

Uber Geek


  #2153470 2-Jan-2019 18:56
Send private message

It’s on the internet, it must be true.




Always be yourself, unless you can be Batman, then always be the Batman



Batman

Mad Scientist
27827 posts

Uber Geek

Trusted
Lifetime subscriber

  #2153473 2-Jan-2019 19:06
Send private message

richms:

 

Unless it has changed, a port is easier, from a postpay plan just needing the phone and account numbers.

 

I have had a number ported away from me in the past, although I think it was a friend of a friend being a dick since we disliked each other rather than aiming for anything to try to get access to banking (that number wasn't used for any 2 factor anyway)

 

At the end of the day, banks have to guarantee money that is with them, and if they were not happy with the security of the SMS 2 factor they shouldnt be offering it. As it is clear that banks dont give 2 craps about security then I guess nothing will happen till the costs for fraud like this exceed the costs to make it secure.

 

 

Reading more into it, 10,000,000 + has been stolen in Australia using this trick because by law an Aussie carrier is required to port within 3 hours of a request being made. (I guess the thieves know that in a 3 hour window from port request they can gain access, giving them a window to concentrate on)

 

Apparently T mobile has a porting PIN that you can set up so that porting your number requires the PIN.

 

I don't think my Skinny number has a porting PIN.





Involuntary autocorrect in operation on mobile device. Apologies in advance.


michaelmurfy
/dev/ttys0
10982 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2153478 2-Jan-2019 19:21
Send private message

There will be more to this.

 

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

 

There is also transfer limits on most accounts - by default, this is $1000.

 

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

 

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

 

But really - I call BS here. Also, on that note this is why you don't use POLi!

 

 





Michael Murphy | https://murfy.nz | https://keybase.io/michaelmurfy - Referral Links: Sharesies | Electric Kiwi
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation.


Batman

Mad Scientist
27827 posts

Uber Geek

Trusted
Lifetime subscriber

  #2153479 2-Jan-2019 19:26
Send private message




Involuntary autocorrect in operation on mobile device. Apologies in advance.


Batman

Mad Scientist
27827 posts

Uber Geek

Trusted
Lifetime subscriber

  #2153481 2-Jan-2019 19:29
Send private message

michaelmurfy:

 

There will be more to this.

 

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

 

There is also transfer limits on most accounts - by default, this is $1000.

 

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

 

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

 

But really - I call BS here. Also, on that note this is why you don't use POLi!

 

 

 

 

I understand that yes they need a lot more than just your phone number, and they would have gained them already. But let's say they do and they need your number, there should be a way to prevent our numbers being ported so easily.





Involuntary autocorrect in operation on mobile device. Apologies in advance.


kyhwana2
2537 posts

Uber Geek


  #2153483 2-Jan-2019 19:46
Send private message

michaelmurfy:

There will be more to this.

 

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

 

There is also transfer limits on most accounts - by default, this is $1000.

 

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

 

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

 

But really - I call BS here. Also, on that note this is why you don't use POLi!

 

 

 

 

Bank phishing and banking trojans are sophisticated enough to get all of this.

 

 

If there is money involved, SMS 2FA is NOT sufficient, as attackers can port or intercept SMS 2FA token

 

https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoins

 


blakamin
4431 posts

Uber Geek
Inactive user


  #2153484 2-Jan-2019 19:46
Send private message

michaelmurfy:

 

There will be more to this.

 

For example, with ANZ you need the following:
1) Customer Number
2) Password and
3) Onlinecode, if the customer has this enabled (SMS Verification)

 

There is also transfer limits on most accounts - by default, this is $1000.

 

The attacker will need to:
1) Get the customer number along with the password.
2) Get either the sim card number or mobile account number (here in NZ)
3) Port the number.
4) Login to IB.
5) Do their transfers without triggering fraud detection(!) and filling out the onlinecode each time, if required.

 

Multiple transfers of $1000 will trigger fraud detection (I can't go into too many details here) but really - to get this far I'd call it identity theft. There are too many steps involved. Not saying it isn't possible, but the customer of the bank would have had to give many details in the process breaking their internet banking terms and conditions also. This is more likely to happen via somebody trusted by the individual (eg, partner or close friend).

 

But really - I call BS here. Also, on that note this is why you don't use POLi!

 

 

 

 

But if the customer has ever upgraded their limit (which most people with a need to transfer more than $1k will do. For instance, I transfer more than that to my Mrs every fortnight just to pay bills, Would be more if I got paid monthly).

 

What's onlinecode?? I bank with ANZ, have changed phones, and ported about 8 times, in the last 4 years alone and have never heard of it. If they have my number, they have my SMS verification.

 

I transfered/juggled many many thousands when we bought our last house to cover stamp duty and other things when the was some issues with another bank account... Nothing ever triggered any fraud things. 

 

 

 

Oh, and while you're there, tell head office in Oz that i'm seriously unimpressed with them holding my wages hostage overnight (or until tuesday if my pay goes in on a saturday) for them to "clear" from a company that also banks with ANZ. It's a rort and they're bastards.


Bung
4559 posts

Uber Geek


  #2153491 2-Jan-2019 20:12
Send private message

michaelmurfy: Also, on that note this is why you don't use POLi!


 



You saying "don't use POLi" is like whispering into a thunder storm. The Banks are letting it happen what signal does that send?

 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

D-Link G415 4G Smart Router Review
Posted 27-Jun-2022 17:24


New Zealand Video Game Sales Reaches $540 Million
Posted 26-Jun-2022 14:49


Github Copilot Generally Available to All Developers
Posted 26-Jun-2022 14:37


Logitech G Introduces the New Astro A10 Headset
Posted 26-Jun-2022 14:20


Fitbit introduces Sleep Profiles
Posted 26-Jun-2022 14:11


Synology Introduces FlashStation FS3410
Posted 26-Jun-2022 14:04


Intel Arc A380 Graphics First Available in China
Posted 15-Jun-2022 17:08


JBL Introduces PartyBox Encore Essential Speaker
Posted 15-Jun-2022 17:05


New TVNZ+ streaming brand launches
Posted 13-Jun-2022 08:35


Chromecast With Google TV Review
Posted 10-Jun-2022 17:10


Xbox Gaming on Your Samsung Smart TV No Console Required
Posted 10-Jun-2022 00:01


Xbox Cloud Gaming Now Available in New Zealand
Posted 10-Jun-2022 00:01


HP Envy Inspire 7900e Review
Posted 9-Jun-2022 20:31


Philips Hue Starter Kit Review
Posted 4-Jun-2022 11:10


Sony Expands Its Wireless Speaker X-series Range
Posted 4-Jun-2022 10:25









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.