Yahoo Finance Optus phone porting scam: Alex's identity and $8.5k stolen in holiday identity theft bungle
Alex's case proves that the battle against identity theft is far from over.
Alex's Optus identity-theft nightmare began during the morning of his holiday in Croatia in July 2023, when he discovered two of his bank accounts and a credit card had been compromised and $8,500 had been siphoned off his balances.
He contacted his bank, which confirmed security access codes had been sent to his mobile phone number to authorise those transactions. Then, on checking his Australian Optus SIM, he discovered the number was no longer working, showing SOS mode.
Alex contacted Optus on July 20, 2023, to inquire if his number had been stolen and ported or assigned to a new SIM, only to be misinformed that his phone had not been affected. Optus insisted the reason his phone was not working was not that the number had been moved to a new SIM, but that access problems he was experiencing with the SIM must be due to mobile network issues in Croatia. Optus continued to maintain, via email support messages, that the number had not been ported.
That wasn't true, however. When Alex returned to Australia, an Optus representative finally admitted that a replacement SIM for Alex's number had been issued on July 18, 2023, through an Optus store.
To port the number, Optus should have asked for 100 points of identification and requested an authorisation through the existing SIM, following the approach set out in the Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020. Alex was told a store manager decided to authorise the request despite lacking that information.
The predominant warning sign that a SIM port has happened is that your phone will lose service, and go into 'SOS mode'. Sometimes you might receive a text notifying you it has been changed, and if you're not behind this; call the telco immediately.
Alex eventually had his bank accounts refunded and his numbers restored, but it was a stressful ordeal that ruined his holiday - and it would never have happened if Optus followed the procedures correctly.
Also by Graham Cooke:
Homeowners, renters, savers: How another RBA hike will affect you
Rate relief: Mortgage holders could see cuts 'within months'
Housing crisis: What rocketing Aussie property prices mean for you
After ID-security expert Paul was scammed by a sophisticated identity-theft attack back in 2020 - when a deactivated Telstra SIM card saw him lose $2,000 through unauthorised transactions - the telecommunications industry introduced the new industry standard, aimed at bolstering defences against such frauds.
At the time, then communications minister Paul Fletcher said this new standard would “mandate stronger, industry-wide, identity-verification measures before mobile numbers could be transferred from one provider to another”. However, Alex’s recent scam experience calls the effectiveness of these measures into question.
So, how did this happen to Alex?
I posed several questions to Optus, addressing the lapses in their security protocol that led to Alex being targeted by identity theft. The questions were simple, asking for explanations on why Optus did not initially realise Alex's number had been moved to a replacement SIM, their standard procedures for issuing replacement SIM cards, and the specific circumstances that allowed for such an oversight in Alex's case.
I also inquired about the protocol allowing store managers to override identification requirements and the potential implementation of additional safeguards, such as setting a password or PIN code to protect accounts in-store.
The responses from Optus were somewhat vague.
“SIM-swap fraud, which occurs when a scammer takes control of a consumer's mobile number by using their personal details to request a new SIM, continues to be an industry-wide concern. Our customer care experts have been in touch with the customer to try and resolve the situation,” a spokesperson said.
Both Alex and Paul's cases raise disturbing questions. Using two-factor authentication is safer than relying on a password alone, but if a telco won't follow the rules correctly, how can we reliably use SMS as an additional form of protection for bank accounts and other sensitive online information?
Identity theft is a real and deeply impactful issue. Given the ongoing dramas, it's time telcos, including Optus and Telstra, step up and instigate better systems before a number can be ported. They also need to ensure that those procedures can't be deviated from at the whim of one individual. Some steps have been taken, but there's a lot more to be done.
5 tips to prevent identity theft happening to you
Set up two-factor authentication on every personal account using an authentication app such as Google or Microsoft Authenticator rather than SMS as the second factor where possible
Make sure to regularly check your credit report on sites like Finder and monitor it for suspicious activity
Never get new credit or debit cards delivered to your home, especially if you have an outdoor mailbox
Download the myGov Authenticator app and connect it to your account
Set up a voice-biometric ID and additional secret questions with the Australian Tax Office.
What should I do if I fall victim to identity theft?
First, check all of your online accounts for suspicious activity and cancel any bank cards that may have been compromised.
Then, make sure you place a temporary ban on your credit reports via email with Australia's three credit agencies Experian, illion, and Equifax.
Also, if your drivers licence details have been compromised, report this to the relevant body in your state.
Follow Yahoo Finance on Facebook, LinkedIn, Instagram and Twitter, and subscribe to our free daily newsletter.
