Gone in 15 Minutes: Australia's Phone Number Theft ProblemFraudsters Hijack Mobile Numbers to Crack Open Bank Accounts
Candy Henriquez, who lives in Sydney, is at her wit's end. In July, for the fourth time in 13 months, her phone number was stolen.
See Also: Automating Security Operations
Each time, her phone number was involuntarily ported from Vodafone to Optus, and she's been powerless to stop it. It's a type of attack known as SIM hijacking or swapping. A criminal pretends to be an authorized holder of a number, often by tricking a customer service representative, and succeeds in moving a number to a different SIM card.
Once the attackers controlled Henriquez's phone number, they took AU$500 (US$360) from her Westpac account using "cardless" cash, which allows ATM withdrawals using only a one-time passcode. The fraudsters also later took $1,300 in a direct debit transaction.
SIM hijacking is not a new attack, but there's increasing interest in stealing phone numbers. That's because banks often send two-step verification codes over SMS. Additionally, major services such as Google, LinkedIn, Facebook and Instagram use the mobile channel in some scenarios for password resets.
Over the past two years, fraud involving unauthorized phone ports has increased, mostly due to organized crime, says Detective Chief Inspector Matthew Craft of the New South Wales Police's Financial Crimes Squad. Craft says because of the mobile industry's "inability to implement some simple measures to prevent it from occurring," the problems have continued.
"I would like to see the telecommunication companies be more proactive in this area," he says.
The stakes around SIM hijacking have risen in recent years, says Richard de Vere, who runs a U.K.-based consultancy, The AntiSocial Engineer, which trains companies how to avoid getting tricked into divulging sensitive information.
"In 2018, you can take out half of someone's financial and business contacts with a successful SIM swap attack," de Vere says.
Hijacks Leverage Basic Personal Data
Combined with other personal information stolen in identity theft schemes, pilfering a phone number is often the last key piece of data needed to swiftly execute fraud.
In Australia, there's no movement to strengthen the authentication requirements to request a number port. All that is needed is a name, address, phone number and either an account or reference number or a person's date of birth. The porting requests can often just be made online.
Seven years ago, mobile operators sought to shift the blame to banks and service providers for using SMS one-time passcodes, or OTPs, for security, according to iTnews. But the point now is largely moot because so many services use SMS for security purposes.
That's despite expert advice from organizations such as the U.S. National Institute of Standards and Technology. Two years ago, NIST recommended that authentication via SMS or voice should be avoided because of SIM porting and swapping concerns.
Some banking customers use hardware dongles that generate OTPs. Those are considered to be more secure because the codes do not get sent via SMS.
Australian banks such as Commonwealth Bank, NAB, Macquarie Bank and Westpac have tackled SIM hijacking from another angle. The banks get a data feed from a company, Paradigm.one, that collects real-time porting data, such as when a number moves from carrier A to carrier B.
A recent SIM change may be viewed as an increased risk if an account has also attempted to suddenly initiate a high-value transaction. Using other metrics, such as device fingerprinting and geolocation, banks can decide whether to reject transactions and suspend accounts. Paradigm.one's system has its limitations, though, as it doesn't collect data for certain types of SIM changes.
15 Minutes Later, SOS Only
In Australia, it can take as little as 15 minutes to steal someone's phone number, timed from when the request is made until when the port gets executed.
The data needed to request a port presents a low barrier for identity thieves. An account number can be obtained by tricking mobile carrier employees - a ploy known as social engineering - or through phishing attacks or by stealing postal mail. And a person's birthdate is hardly a secret.
Australia is not unique in requiring little information to port a number. Carriers worldwide have sought to make it easy for their customers, says Jason Lane-Sellers, director of solutions consulting at ThreatMetrix and president of the Communications Fraud Control Association.
"Reliance on such authentication is simply poor or weak," Lane-Sellers says. "Alternatives that don't increase customer friction are needed, especially with porting services being conducted in real time."
Anyone targeted by an unauthorized port gets immediately put on the defense. The port will already be underway by the time a victim gets an SMS or email notification.
If someone doesn't actively respond after receiving a notification, a number can quickly vanish. The technical process behind it is completely automated. About 90 percent of ports are completed in three hours or less, as required by an industry standard.
The only way to stop a port is by calling. When a port notification is received, "you need to call straight away," says Jen Zemek, head of corporate media relations for Vodafone.
Some operators in Australia accept number porting requests online. Fraudsters intentionally time requests for awkward hours, such as late on a Friday night, when there's less chance of an intervention. If the number has moved, a reversal process has to be initiated. In the meantime, a fraudster goes to work.
Line Goes Dead. Then, Fraud.
It doesn't take long for fraud to happen after a number disappears. About six months ago, Roslynne Rudge, who lives north of Sydney, was awaiting a new phone and SIM card from Telstra. The phone arrived. The SIM card didn't.
She then received an email from Vodafone thanking her for changing providers. Soon after, she received an email from Telstra notifying her that her number was to be ported.
"What I found amazing was that my telephone number could be ported without any consent from me," Rudge says. "I hadn't been asked to sign anything or verify anything. I had been notified after the fact."
After her number was ported, Rudge's son, Jesse Sutton, sent his mother a text message. He says he received a normal response back the first time. But the second message from her number was "slighty lewd," he says.
"I thought, 'This isn't right'," Sutton says. "It's not mum."
Rudge says after the port went through, her credit card account showed a $30 charge for a phone card and also two $3,500 charges made overseas. Her bank, NAB, contacted her after flagging the charges as suspicious.
"It was a two-prong attack," Rudge says. "They stole my phone number first, and then they went after my credit card."
The fraudsters likely already had her credit card details, Rudge says. But they needed her phone number to get the two-step verification code that NAB requires for larger credit card purchases.
NAB only pushed back a little on the credit card charges and eventually dismissed them, Rudge says. Telstra, however, incorrectly levied at least $200 in fees to her account, which proved time-consuming to remedy.
"It took weeks and weeks to sort out," Rudge says. "I was ready to kill somebody."
ID theft victims spend an average of 32 non-consecutive hours sorting out their affairs after an incident, says David Lacey, founder of IDCare, a Queensland-based charity that helps victims of identity theft.
Telecommunications companies and banks also usually don't tell victims what identity information criminals have misappropriated, he says.
"Knowing that bit of stolen information influences the response that they [victims] need to take," says Lacey, who is also a professor of cybersecurity at University of the Sunshine Coast.
Despite an uptick in large-scale data breaches and identity theft schemes, the authentication information required to port numbers hasn't changed since number porting was first implemented in the early 2000s.
It's the equivalent of an online service provider assigning an account number as a username and a person's birthdate as the password to protect a highly personal and essential tool: their phone number.
Mobile network infrastructure in Australia is primarily run by three operators: Telstra, Vodafone and Optus. None of the operators responded to a question asking for statistics on unauthorized ports.
The Australian Communications and Media Authority, which regulates number porting, said it does not provide statistics on fraudulent number ports.
IDCare, however, has received a rising number of complaints involving unauthorized phone porting over the past several years. The rise prompted the organization to begin keeping statistics. Lacey says the organization receives at least one call a day from porting victims.
Over a one-year period ending in June, IDCare recorded 1,056 complaints that involved SIM hijacking or swapping. The actual figure is likely higher, as those are only the victims who have contacted IDCare. Two of the three phone porting victims spoken to by Information Security Media Group, for example, didn't report the incidents to IDCare.
Still, the complaints are a blip compared to the total number of legitimate ports. ACMA says that an average of 150,000 ports were completed per month in fiscal 2016/2017.
But Lacey says his organization predicted the problem would grow worse. He says it spotted "gaping holes" around number porting five years ago.
Two years ago, IDCare considered the issue serious enough that it established a working group involving telecommunication companies, banks and police. It was aimed at bettering number porting security. But after about three meetings, the effort "died," Lacey says.
IDCare still considers it an urgent issue, particularly in an age of rampant identity theft and credential hacking, which usually precedes a number porting attack, Lacey says.
"The reality is that organized criminals are misusing and abusing identities through that market, so clearly there is a need for that market to respond because the impact of that [hijack] is quite significant for that person," he says.
Speedy Porting: It's The Law
The reason number porting is fast and easy is that it's required to be so by law.
About 20 years ago, the Australian Competition and Consumer Commission mandated that mobile customers should be able to port their numbers and directed ACMA to carry out the plan.
Because of the technical nature of porting, the government left it to the mobile industry to create the procedures. What came about is the Mobile Number Portability Code, a highly detailed technical guide for operators.
The code is maintained by an industry group, the Communications Alliance, and is regularly reviewed by the Mobile Number Portability Administration Group. The code is registered with the ACMA, which means mobile operators must follow it.
The code has been amended several times since 2001, in part to stop mobile carriers from making it purposely more difficult to port. Mobile operators fiercely compete for customers, as it's a zero-sum game, and not all players have played fair over the years. Generally, the code has sought to make porting efficient for customers while imposing the least cost to industry.
In a statement to ISMG regarding phone porting, ACMA says the industry is working "with financial institutions to put in place a range of new measures to improve customer security and reduce the incidents of fraud using mobile devices."
There are a variety of ways that mobile providers could get more assurance that only an authorized person is requesting a number port.
Vodafone and Optus do give customers the option to set a security PIN that's required for account changes. But it's unclear if that PIN would be requested for ports that are initiated online.
Another method used by some U.K. operators could improve Australia's defenses. Moving a number in the U.K. requires a customer to get a Porting Authorization Code, or PAC, from their current operator, which is then passed to the new service provider.
Two years ago, de Vere of The AntiSocial Engineer tested U.K. operators to see if he could trick customer service representatives into divulging PACs. Some operators gave the code out after de Vere related basic identity information.
But two operators - Vodafone and O2 - would only send the code over SMS, which ensured that only the authorized holder of the number receives it. To its credit, Vodafone in Australia does send a one-time code to a phone in order to complete a SIM swap.
Such a procedure would have helped Kent Lin of Sydney, whose phone number was ported twice in four days in late June and early July.
Lin's phone number was with Virgin Mobile. On June 26, he received a text from Amaysim, a mobile virtual network operator, that his number was to be ported.
The SMS came from a three-digit number, which he says didn't connect when he tried to call. He then dismissed the message as either a fraud or spam, as he wasn't aware Amaysim was a mobile operator.
The next day, his phone no longer worked. Shortly after, hundreds of dollars were taken from his Commonwealth Bank account via an ATM in Leichhardt, a Sydney suburb. He also noticed a charge on his account from Amaysim for a prepaid SIM card.
Lin had been awaiting a replacement debit card from Commonwealth, which he believes was stolen in the mail.
It's not exactly clear how the fraud was executed. But Lin says Commonwealth Bank told him that a password had been set for phone banking, which he never used. Lin, who works in information technology, suspects the fraudster used phone banking to prepare the card for use in an ATM.
After he recovered his number, it was ported again four days later. "The standard [for porting numbers] is out of date," Lin says. "They need some extra information."
Commonwealth Bank refunded his money, but the process took about three months and wasn't resolved until after Lin had filed a complaint with the Financial Ombudsman Service. A Commonwealth Bank spokeswoman says the bank refunds fraudulent charges if the customer is not at fault.
John Stanton, CEO of the Communications Alliance, dismissed the importance of the SIM hijack in Lin's situation.
"Typically - as it appeared to be in the case of Mr. Lin - this type of fraud begins with identity theft rather than through any inherent weakness in the process of porting mobile telephone numbers," Stanton says.
Continued Theft Fears
Henriquez is afraid that even after four times, her phone number could be swiped again.
She's changed her phone number. Vodafone tried to charge her $40 for the change but eventually dismissed it. She says she didn't even tell her mother the new number.
She also changed her account number. But an unauthorized port happened again. Vodafone representatives eventually suggested that she put her mobile account under a different name, she says.
"I have no one to do that, and I don't think it's fair that I have to hide my identity," Henriquez says.
Presented with the details of Henriquez's problems, Zemek, the Vodafone spokeswoman, says that under the Mobile Number Portability Code, the company must port the number after a request.
"We have to let that number go," she says.
Zemek says there are other security steps that Vodafone can implement to protect Henriquez's number, but she declined to detail those measures for publication. It's unclear why Henriquez wasn't offered those options prior to ISMG's inquiry.
"I don't feel secure with my number," Henriquez says. "They can just take my number again."