I Was Illegally Ported - How to Avoid This?

GOCAT9 on 28/08/2021 - 20:59
Last edited 29/08/2021 - 21:42

Late last week I was the victim of an illegal porting of my mobile phone number (Aldimobile) by a scammer/hacker! I noticed this since I suddenly lost service! This was immediately followed, within the same hour, by a cyber attack on several different banks I use. I was alerted to these attacks by automated emails that the banks sent me where funds were attempted to be transferred from different accounts etc. As far as I know, the banks and I were able to stop all these fraudulent transfers. I am still in the process of getting all my internet banking accesses back on-line however. Aldimobile was able to get my number back the next day, thankfully. Aldimobile told me that they received a replacement SIM request from the hacker!

So, my question is - whilst there are lots of things we can do to increase our internet security, what can a person do to mitigate the risk of having one's mobile phone number illegally ported (i.e. hijacked)?

EDIT: ChiMot said that I should have received an SMS from provider asking if this port was authorised: see https://www.acma.gov.au/port-customers-phone-number
If this had happened, this problem would NEVER have occured, so I think Aldimobile failed - I will be following this up with them!!

NOOOO!! As somebody else pointed out, I didn't get the sms because it was not technically ported out, it was just transferred to another SIM (aka SIM swap)

Further update: Further research has led me to believe that there is a loophole in the ACMA rules for providers in how number porting must occur wrt security. https://www.acma.gov.au/port-customers-phone-number As far as I can see, the rules of checking the validity of the request ONLY APPLY to porting and not SIM swapping. If the same rules were applied to SIM swapping, this would never have occurred to me. Conclusion: the ACMA rules fall short in ensuring adequate security by not mandating the same security measures apply to SIM swapping as they do to porting.

Mobile

Related Stores

ALDImobile
ALDImobile

Comments

    • CyberMurning on 28/08/2021 - 21:04
      +12

      He asking about how to prevent mobile phone number stealing

      • techlead on 11/09/2021 - 16:04
        +1

        Not sure about Aldimobile, but the providers I have used, Telstra, Vodafone and Optus all verify my identity via 2FA, ie a SMS code to the original number before performing any actions including sim swaps.

        Aldimobile should had this control in place, that would have prevented this. Seems like these hackers have worked out a loophole and are targetting smaller providers.

    • GOCAT9 on 28/08/2021 - 21:04
      +5

      Aldimobile don't offer 2FA unfortunately as far as I can see!

      • indium on 28/08/2021 - 21:25
        +1

        Woolworths mobile seem to do this. Optus and Telstra did not the last time I ported out of each one (prepaid) but this may have changed since then.

      • c64 on 11/09/2021 - 18:14

        they do have a secret telephone pin you can set up

    • anonymous01 on 29/08/2021 - 15:49

      This! Also use a different password for each website, so if one gets hacked, you are not compromised on other websites.

      I know it's a pain to remember every password, so I use Google Chrome's built in password vault. You can go to chrome://settings/passwords/check?start=true to check which websites passwords have been compromised.

      I use Chrome on both PC and Android Mobile so I don't need to remember them, Chrome fills it out automatically.

    • paulojr on 29/08/2021 - 16:17
      +5

      well actually the attack he experienced which I warned about not that long ago on this forum, is targeted at high value customers likely already using 2FA. So turning on 2FA especially with dodgy companies that have bad IT departments like Unisuper that implement 2FA incorrectly (you have no control over the phone number) is exactly what the scammers want you to do!!!

      The issue is security around porting and you absolutely DO NOT need photo ids or half what you would expect to need with many of the telecos!.. In fact maybe this should be something we all consider as part of the features we look at when selecting a new telecommunication provider? (e.g. drive change by demanding security)

      Its too easy to initiate a port request and if its done without proper validation of the customer (which is the current issue) the hacker then triggers a recovery process with all your various critical online accounts using your mobile number to prove its him/her and steals whatever you have they were after. You have no warning as your mobile number now theirs.

      Brilliant scam.. and they know telecommunication companies won't likely fix the gap unless the government starts fining them huge fines.

      Aldimobile.. IT support is not good, very slow and generally their processes are non compliant to common privacy, general law and security policies so I kinda see why aldimobile users would be targeted as it would take weeks to months to even get a support request handled given them heaps of times to compromise each and every account you have using your mobile number.

      Even if the government "did" make it law to add an extra step Aldimobile probably couldn't update their support processes to adapt anyway, just too hard. They would need a new porting and support system and maybe even retraining of staff. Big change for a company that works like a small business internally. (adhoc processes, cheap support tools, struggles to work with telstra etc)

      Not saying Optus could handle it either and that is kinda the point, a lot of the bigger fish especially Optus who also has extremely poor support processes would struggle to adapt their support processes fast enough to handle this. Too much money, to much time to change.. not enough profit I can hear the optus executives thinking through the change. But I guess maybe Optus might pay out in court if you sued them for the damage.

      It would take government fines at massive rates or threats to terminate their operators licenses to get a clear change in the industry. I don't think this scam is common enough yet for any MPs to care but I suspect its getting more popular?

      btw.. SMS is non guaranteed delivery so anyone in the telecommunications industry with a qualifications knows not to use SMS for positive confirmations unless they don't care if its confirmed or confirmed in delay. We would need something more robust and knowing aldimobile they'd probably send the SMS to the NEW phone as that's how stupid their typical processes can be (from experience)!. The other thing is "borrowing" your phone is another way the scam can work.. e.g. leave it at a desk someone could initiate the transfer and pickup your phone and response then delete the SMS.. The best scams is going after people like security admins, people that have administrative or control over big financial accounts, you'd want the verification to be a bit more certain it was you accepting it. Yes sure an SMS verification is 100% better than no verification but if they do it they should do it properly.

      • pizzaking on 31/08/2021 - 17:43

        Can we just stop using phone number for 2fa

  • CyberMurning on 28/08/2021 - 21:03
    +11

    I thought some years ago Government made it as law that the provider must send us sms asking user to confirm the port out? Before that time yes it was easy to steal numbers

    • GOCAT9 on 28/08/2021 - 21:06

      great idea - that would have saved me, but I never received any SMS etc to confirm port out!!

      • mskeggs on 28/08/2021 - 21:29
        +9

        I think they would have requested a sim replacement, activated the sim, then immediately ported the number (or maybe they didn’t, and just used the ALDI service for their purposes).

        Hard to require an SMS confirmation for a replacement sim, unfortunately, as that wouldn’t work. When I have needed one in the past I needed to show photo ID, but that was with Voda, not ALDI.

        • techlead on 11/09/2021 - 16:06

          It does work, other providers already implement this. When I need to do a sim swap with Telstra, Vodafone or Optus, they send a code to the number for me to verify my identity before performing the sim swap. They also do this as part of their standard verification process before they discuss my account.

          If the original sim was lost or otherwise inoperable, they send the code to my email.

    • GOCAT9 on 28/08/2021 - 21:26
      +1

      You are 100% spot-on, I checked, see my now edited post above.

      • treekangagaroo on 28/08/2021 - 22:01

        Do you have an online account for Aldimobile ? If so what's the delivery address ? Scammers ?

    • GOCAT9 on 28/08/2021 - 21:09
      +3

      are you saying that my phone was hacked? Aldimobile told me that they received a replacement SIM request from the hacker!

      • pharkurnell on 28/08/2021 - 21:12
        -4

        This was immediately followed, within the same hour, by a cyber attack on several different banks I use.

        Sim/Phone - how else did they get this info?
        Many use phones for everything.. Im still not convinced its a good idea..

        • Zephyrus on 29/08/2021 - 17:21
          +3

          They did password resets and the like that use your phone/email to reset it.

          Basically email gets hacked, then they would know your phone provider and request a new SIM. Nothing on their actual phone was compromised.

      • Platinumtelecom on 28/08/2021 - 21:26
        +5

        Yes usually your provider sends an SMS to warn you the number is being ported. So the reason you didn’t get it is because the hacker requested a new SIM. He did not port the number at all.

        You lost service when the hacker activated a replacement SIM.

        This is why Aldi managed to get you back online, they still had your service.

        If I were you, I would port the number immediately to a new provider before a does it again.

  • Neoika on 28/08/2021 - 21:16
    +5

    Your SIM was illegally replaced. Someone must have your ID info in photo.

    • GOCAT9 on 28/08/2021 - 21:36
      +4

      you are right, it was illegally replaced. They didnt need a photo ID because it was done by them hacking my online account and requesting a replacement SIM there. I think then that that is a loophole in the legislation. The legislation should also compel providers to SMS customer before a SIM replacement also!

      • CC123 on 28/08/2021 - 21:55
        +11

        providers to SMS customer before a SIM replacement

        Not saying I'm against that but what if your sim is broken or you've lost it? Perhaps an email as well, or instead? I know emails can be hacked.
        *Assuming you mean SMS the customer as a verification method. eg. temp verification code

      • ascorbic on 28/08/2021 - 21:56
        +17

        If a customer is requesting a replacement SIM, chances are the existing SIM is defective and hence they won't be able to receive an SMS.

        • Thrawn on 29/08/2021 - 00:26
          +3

          Still a good idea to send notification SMS in advance to the existing SIM though..

        • GOCAT9 on 29/08/2021 - 08:50
          +4

          Yes, under that scenario an SMS would not help. But under my scenario it definitely would have helped and stopped the scam. So, conclusion is sending SMS could help under some scenarios, but importantly, would NEVER be a disadvantage to send it.

          • mikekiwimike on 29/08/2021 - 09:57
            +2

            @GOCAT9: Your scenario does not make sense:

            Someone was logged into your ALDIMobile account and requested a SIM replacement for a lost/Damaged SIM.

            ALDIMobile assume that this is you, who else has this information to log into your account? being that the SIM is lost/damaged/Stolen they are not going to send a message to the possible recipient because if it is lost nothing comes back (waste of time), if it is stolen then the thief is going to reply with No do not authorise this (the opposite of what you want to have happen).

            They could require that an email is sent to the registered address on the account, to do this they will also need to ensure that a change of email address through the website also triggers an email to the old address.

            The point being this is not easy to fix, if they do not allow the porting then someone accessing your bank accounts with your phone as the SMS verification device (if your phone is locked I assume they can place the SIM in another device to get the messages).

            Banks and other organisations need to move to an app based MFA mechanism, as do ALDI and others… the problem is the reason that ALDIMobile and others are so cheap! it is because their service and their business is laser thin. I signed up with GloBird for energy recently, no login, no nothing of customers just use a random code for the bill information - the point being these businesses have no margin for security which is wrong but it is what it is at the moment.

            • wozz on 31/08/2021 - 09:51

              @mikekiwimike: Scenario does make sense. Added security
              If someone requests new sim, they can automatically send an sms saying a sim replacement has been organised, and to call them immediately if the user did not request this.

              In this case as the OPs sim would still be functional when new sim was requested, they would have received this sms and could have called provider to cancel request

              I know that's not the only problem here and agree with your suggestion, but i don't think it'd harm to add an extra layer

          • GLO on 31/08/2021 - 15:47
            +2

            @GOCAT9: Hey GOCAT9,

            Sim replacement is often one of the final steps that happen before your bank account is fleeced.

            It looks like your email/laptop being hacked and the hacker would have been watching for weeks maybe months!

            They use keyloggers to track your URL visits and passwords.

            The hacker would have gotten into your bank accounts, including your Aldi mobile account, issued request to do the sim replacement, and quickly followed by requests to send money out of your accounts.

            An early indicator of being hacked is when your friends receive an email or FM message from you asking them to sign up or log into something you have recommended.

            Hope it helps you, or others.

      • snooksy on 29/08/2021 - 09:56

        SMS verification is unreliable at best. Surely you weren’t only using SMS for your banking without additional security measures like a password as well. SMS is often used as the second factor in 2FA to enhance the security of a password. It sounds like the passwords you are using are not up to scratch. SMS is unreliable because it relies on an SMS gateway, telephone network and additional device to work properly - many things that can fail. Authenticator Apps are more reliable and not susceptible to SIM card copying / stealing. Firstly though, choose long unique passwords for your services. A password manager can help if set up properly. Then look at a better 2nd factor instead of SMS. SMS is convenient though not very reliable and therefore not a great security factor.

      • Keplaffintech on 08/09/2021 - 11:29

        How did they 'hack' your online account? They must have gotten your password from you somehow?

  • Quantumcat on 28/08/2021 - 21:23
    +6

    Don't use a phone number as 2FA, use an app. Then they would need to get physical access to your phone and unlock it to get access to accounts.

    • Orico on 28/08/2021 - 23:00

      use an app.

      Which app?

      • CyberMurning on 28/08/2021 - 23:32
        +5

        Authy and many others

        • kiitos on 29/08/2021 - 09:36
          -1

          Can authy be used for all 2fa? Some sites seem to only suggest certain apps, like ms or Google authenticator.

          • snooksy on 29/08/2021 - 09:58
            +1

            @kiitos: You can choose which app you want to use.

          • NotAnExpert4 on 29/08/2021 - 21:23
            +1

            @kiitos: Authy supports Google Authenticator codes.

          • spaceflight on 30/08/2021 - 11:02

            @kiitos: Yes, some websites don't make it clear, but you can use Authy (or other apps) and pick Google Authenticator.
            Authy will scan and understand the code.

        • xylarr on 29/08/2021 - 10:07
          +3

          On Android, use google authenticator.
          I have dozens (really) of 2FA accounts setup in google authenticator.
          More and more places use time based 2FA and the most common algorithm is TOTP (https://en.wikipedia.org/wiki/Time-based_One-Time_Password)
          I mean just yesterday, I had a prompt to add it to my nVidia account - which I then did. (we don't need to talk about how nVidia requires a user/pass to get updated drivers)
          Plus, you must use a password manager. Every password I have is different and I don't know what they are. I do know what the password to my password manager is though.

          • eug on 30/08/2021 - 19:30

            @xylarr:

            we don't need to talk about how nVidia requires a user/pass to get updated drivers

            How so? You can download them from https://www.nvidia.com/Download/index.aspx without a login.

          • MrFunSocks on 31/08/2021 - 14:03
            +1

            @xylarr: If you use google authenticator you should make sure to back up the 2FA setup codes in a password manager, as Google Authenticator has no online backup ability. I would suggest Authy as it does cloud backup of 2FA.

          • Typical16-bitEnjoyer on 08/09/2021 - 10:10

            @xylarr: Authy is so much better. Google authenticator is a downright pain if you change phones. You have to redo everything for every service.

    • Milkywayss on 30/08/2021 - 08:26
      +2

      Tell that to the banks using sms as their first authentication method (and some only use this!)

    • poohduck on 28/08/2021 - 22:04
      -1

      or anyone for that matter. Security is an illusion. We've all seen and heard these things on the news before - big corporations like Sony can get hacked; governments are much easier in comparison. Most of us use phones and operating systems that are inherently hacked - and then we seem bewildered when it's made more real to us. We sell our souls to install listening devices because we get off on voice control lights and internet - geez, we're pathetic. And the comical thing is we pay for it; if we didn't buy these devices they would be given to us, or they (google, ms, fb, apple - whoever) would offer us incentives to take them as they do in apps. $10 off on the first purchase if it's made with this app - sound familiar?

      • snooksy on 29/08/2021 - 10:01
        +1

        Security isn’t an illusion. but you have to ensure every point in the chain is secure and trusted. I’d take Aldimobile out of the chain. They can’t be trusted! I work for a financial services org involved in security. Our systems are security vetted by third parties regularly plus we spend about 20% of our work on security these days. Security is constant work and improvement.

    • MagicMushroom on 28/08/2021 - 23:39

      Gee, who would have thought you couldn't trust insert any company with something as important as your primary phone number that you use for 2FA

  • Gervais fanboy on 28/08/2021 - 21:53
    +4

    Hi there

    Some of my personal information got compromised in 2019. The hackers then made multiple attempts to purchase iPhones from Optus(my service provider at the time) over the phone to some random address in Sydney.. Luckily, I received a few texts from Optus about it and I was able to call them in time to reverse that purchase. Furthermore I was able to instill a 6 digit passcode on my account. Blocking anyone else to place orders on my behalf, may it be online or over the phone.
    So yeah, call up your provider and see if you can set a code like that to protect yourself. Thanks

    • GOCAT9 on 29/08/2021 - 08:55
      +2

      Good tip. I have now done that. I only hope that this code is required when ordering a replacement SIM online. I will be calling Aldi to check this.

  • mickyb80 on 28/08/2021 - 22:04
    +2

    Remote wipe, MFA, different passwords, and in this case, as Aldi to provide the details of where the new sim request was being sent to, let the local Leb and bikey mates know in Adeliade then see if they can… … … (profanity) them up for you. After doing so, then let the cops know the address. :)

    🤜

    • GOCAT9 on 29/08/2021 - 08:58
      +1

      Thanks, all good points. However, unfortunately Aldi do not have to send a SIM anywhere. The scammer just buys any new SIM at an Aldi supermarket and then contacts Aldi with the SIM number to have it transferred. This can also be done from the online account after it is hacked without them having to talk to anybody.

      • snooksy on 29/08/2021 - 10:02

        There’s your problem - Aldi Mobile.

      • xylarr on 29/08/2021 - 10:11

        What would be interesting is whether that replacement SIM, bought in an Aldi supermarket, was paid for with a credit card. You might be able to track that to the fraudster.
        Though that would depend on every Aldi SIM having an individual bar code.
        Did you call the police?

      • mickyb80 on 29/08/2021 - 13:30

        Must have been some registration and attempt to activate the sim which can link back to a location of sorts… Either way… Looks to now have been sorted!

    • Gervais fanboy on 29/08/2021 - 16:15

      Hahah, you legend

  • helldoodle on 28/08/2021 - 22:32
    -8

    i know this sounds stupid but this is the reason i use telstra and not some minor third party company, after working for aapt i never again will have a vodaphone or cheap supplier

    • Freezies on 29/08/2021 - 00:45
      +2

      Yeah it sounds stupid as Aldi uses Telstra for it's mobile service. :)

      Aldi Mobile isn't some crappy third grade service, it's a well known and award winning one constantly making "best of" lists. Aldi are an international company that absolutely dwarf Telstra in profits.

      • snooksy on 29/08/2021 - 10:05
        +3

        Aldi mobile is a sub business of Aldi midi marts. They are a reseller, it’s not their network. Aldi mobile is purely a services play. I’m not sure Aldi Mobile is international.

      • helldoodle on 01/09/2021 - 13:27
        -1

        yet in Australia they don't dwarf Telstra's profits and own no infrastructure

      • cheng2008 on 09/09/2021 - 15:40

        "All products and services offered under the brand "ALDImobile" are provided by MEDION Australia Pty Limited and not ALDI Stores."

        Nothing to do with the supermarkets, it's all branding.

  • mbck on 28/08/2021 - 22:38

    Did they get a new sim card replacement and activated that, then got the sms,etcetc?

    Just read the above. Nice catch at least.

  • Freezies on 28/08/2021 - 23:33
    -3

    How did this happen exactly? I have had an Aldi sim for years and they would have at the very least have needed access to your Aldi account to request a new sim in the first place. Secondly, you can't just transfer the number to a new sim without verification. The new sim then needs to be activated via your account before being ported which then requires verification. For this part alone, they needed to be in your Aldi account so there's your first problem.

    Other than needing your Aldi log in details they then had to change the sim delivery address which Aldi can see in order to receive the sim which would then take a week to arrive or did they monitor your post every day to try and intercept the new sim? Then they needed a verification SMS. Porting out also makes absolutely no sense if they wanted to access your bank accounts assuming they even knew your accounts were tied to that specific number in the first place.

    They would have needed your current number to log in to other accounts, change those details to a new number of their choosing then port out to that new number while somehow cirumventing all the bank security and verification policies too and for what purpose? They wouldn't have needed to port your number to attempt making transfers, in fact, it's the opposite as they need the number tied to those accounts.

    What you are saying is too convoluted, illogical and also not even possible unless they had access to more than just your Aldi account. People can't just "hack a phone" to gain access to that kind of stuff either. Sounds more like some had physical access to your phone and even then, trying to port the number to a new sim from the same company makes no sense whatsoever. It's the thought process of a child. Even switching the number to a new sim from Aldi serves no purpose for anyone wanting to access your accounts. Switching to a new number and locking you out to access your accounts is the way it would have been done and they could have done that immediately with any sim and access to your phone which is what they needed to do any of what you mentioned anyway.

    • SF3 on 29/08/2021 - 00:02
      +3

      Agree, somehow OP’s details were leaked or stolen prior to the SIM change event.

      I’m no expert, but I can’t think of how the “hacker” could have known OP’s bank accounts (the bank(s) and login/password) with just having the phone number. Like if OP was “stalked” and the phone number was to then enable their criminal activities. I suspect OP’s phone was already compromised prior.

      • Freezies on 29/08/2021 - 00:14

        It's not possible and this whole porting to a new sim from the same company serves no purpose whatsoever.
        If somone had ordered a new sim for the same number, then they would have needed to change the delivery address. The OP could simply check the address in their Aldi account.

        There was also no porting let alone illegal. You port to a new company, not a new sim with the same one. That's a sim replacement which is for when your sim is lost or phone is stolen so usually that number is temporarily deactivated as you technically don't have access to it and will be notified via email too anyway. This also requires validation.

        If someone had access to all the log in and verification methods required for these things alone, then this has nothing to do with Aldi and everything to do with several of the OP's accounts having been hacked which is incredibly unlikely as if they had, they could have successfully locked the OP out and circumvented all warnings from the bank. If someone had access to the OP's phone and was messing around, they could have easily succeeded in locking the OP out. The OP has assumed this has anything to do with Aldi when it's more likely the OPs other accounts were hacked from weak/same password/physical access to their phone. It's also possible that none of this happened as none of it makes any sense as ordering a new sim achieves nothing other than maybe attempting to lock them out of their service which they could have done from within the account they need to have accessed to request it anyway.

      • FracturedArse on 31/08/2021 - 14:28

        People would be surprised how many data breaches have occurred with popular services they likely use.

        I wouldn't be surprised if most people here have had at least some of their personally identifiable information stolen.

        Google "haveibeenpwned" and go to that site. Put in your email address or mobile and I would be amazed if you haven't had your details exposed.

        https://haveibeenpwned.com/

    • GOCAT9 on 29/08/2021 - 09:09
      +3

      Thank you for those comments, however whilst it might be nice if the world worked that way, unfortunately the facts don’t support that. In summary, this is how it was done, so this is now fact.
      1. My Aldi online account was hacked and they use that to request a replacement SIM.
      2. What that means is that they buy any new $5 Sim at any Aldi supermarket.
      3. The scammer then logs back into the online account where they can enter the new Sim number (not phone number). The online system then transfers the phone number to that new Sim number.
      4. All done, the scammer now has my phone number on their phone. This could take maybe 30 minutes to complete.

      • Freezies on 29/08/2021 - 09:28
        +7

        So how is it an illegal port or scam? Aldi did nothing wrong here. A sim transfer was requested and verified from your account. The issue comes from your acount being compromised.

        As for the transfers, how can anyone access or request a transfer from your bank accounts with just your phone number? They'd need a lot more information than that including PIN/biometric/Passwords. It would seem it's a lot more than just your Aldi account that has been compromised.

        • secondstory on 30/08/2021 - 16:09

          Not saying Aldi did anything particularly wrong here but I'm with OP in wishing all companies in these fields would have some minimum defined protection for people from these kinds of attacks. A sim replacement (or port) is not a common occurrence and wouldn't not have hurt anybody to have a notification sent out to all listed contacts including the old sim (as the hacker could have simply updated existing contacts).

          It's scarily easy for mobiles and accounts to be compromised and quickly provide a path to the rest of our accounts. The number of times I have seen a phone unlocked and unattended for even just a moment - when a moment is all someone with malicious intentions needs - is unsettling. I worry there are generations who either don't completely understand technology or are overconfident in with technology and don't take the appropriate steps to secure themselves. Yes, that would be their own fault but it would be nice if companies would understand that this is just something that happens and put more effort into protecting their customers. (like how ATMs literally tell you to cover the keypad while entering your pin - a small gesture and and obvious thing to some but not all, or how your own accounts they hide your own details from you for the expected possibility that it isn't you)

          The phone number might be the other security factor and can be used for password resets for email accounts (even worse if it's their single signon account then they remove other existing reset contacts). If they managed to get into the Aldi account I would assume, they have access to at least the persons name and email address and possibly more personal info (like postal address as well as anything else they can glean from facebook or the like). The hacker could then reset the email password and do a quick keyword search for banking or other account details (transfer receipts, user may have emailed a photo of their drivers license or Medicare card at some stage, etc.). Now that they have access to both the email account and can receive sms/phone calls and know which websites you have accounts with they can start trying means of resetting your account passwords there and obtaining more personal information. Meanwhile the victim has lost access to both their phone number and emails. Give the hacker just an hour with all this information and I think they can at least attempt to get a lot done - now imagine they started right as you went to bed only for you to find 8 hours later when you wake up with no phone signal and can't log into half your accounts. All this from just the Aldi online account, the reason it didn't get worse was probably the banks did more to protect their customers from what could have looked like a completely and legitimately authorized transaction. Yes, it shouldn't have happened in the first place but it is scary that I think this could easily happen to my parents.

          Not that it's exactly this easy nor do I understand or know exactly what happened and maybe I'm just paranoid but I'm always scared that it could happen.

          • Freezies on 30/08/2021 - 22:41

            @secondstory: wishing all companies in these fields would have some minimum defined protection for people from these kinds of attacks.

            They do. A lot of people are with Aldi Mobile, how many peoples accounts do you think have been accessed? Companies are totally responsible if they are hacked and account logins are leaked but that is not what has happened here. A sim replacement isn't an uncommon occurrence (I've done it myself with Aldi despite not having lost my phone).

            In order to achieve the sim replacement alone, they at least needed access to the OPs Aldi account, verification method and email. That's several layers of security bypassed right there. Then they needed more personal information and other logins and verification methods for the bank transfers. It's not something that's done so easily, in fact it's pretty damn difficult.

            This is a major compromise on the OPs side and has nothing to do with Aldi as even their bank accounts were compromised. There are far more security and protection measures today than ever before and although this can happen to anyone at any time (and not just nowadays) it doesn't happen anywhere near as much as you think and almost always happens because of a compromise on the user's side. It's up to user to set up proper security and use different passwords/log in methods.

            Something as simple as leaving your phone open and unattended can be like leaving your keys in an unlocked car. However, even if the OP used the same phone number and same password for every account with no 2FA or authentication of any kind, the banks still enforce your account to require at least a PIN or biometric scan to log in so how was this done as It's impossible without either. All of this still required them knowing the OPs specific banks and their account details and log-in information too. That's quite a lot to know about someone even if they managed to have the OPs phone, thumb and somehow gleaned their PIN numbers too…

            It's good to be a little paranoid to keep you on your toes, but in the end, if it happened, it was all prevented anyway as the banks were onto it and all of this was impossible just from having access to an Aldi account so relax. It's pretty hard to breach bank security as they are very pro-active in their response and your parents came up through generations without the cyber security we have today. As long as they have common sense you shouldn't worry too much.

  • CyberMurning on 28/08/2021 - 23:36
    +1

    Ok so your subject isnt right this is not illegal porting but someone call aldi says i lost my sim can you send me new one to this address.
    And funny aldi agreed with that address, so first check your aldi account what address is there.

    If that is yours then someone has access to your physical mailbox. Happened long time ago in the city apartment blocks, people stealing letters.

    But to access your bank they will need to enter your user name and password, before getting the sms.
    So, I will be worry about that as well

    • vikvance on 29/08/2021 - 07:41
      +2

      people stealing letters

      A stranger stealing OP's mail is one possibility.

      Another (perhaps more disturbing) possibility is that the person is somehow known to the OP. This could be a deadbeat relative or friend, to whom OP refused to give any more money, and who knows a lot of the details of OP's life, including the specific bank accounts where OP keeps their money.

  • peterpeterpumpkin on 29/08/2021 - 00:32

    I don't know if this is related to the scam but I'm getting SMSs every other day trying to get me to click a link to access either voicemail or a service message. Seems to be part of the "Flubot" malware, which only infects Android phones that allow side loading of apps (https://www.theguardian.com/technology/2021/aug/20/australia…).

    • Quantumcat on 29/08/2021 - 08:29
      +1

      I'm also getting these on my old phone number. The spelling is terrible, but maybe that's so only super gullible people tap on it and less people realise what's going on part way through the process.

  • localhost on 29/08/2021 - 01:15

    Actually your PC was hacked. From there they got accounts for banks and aldimobile. Next step - request new SIM.

    Be more careful with links and sites. Also use password managers and 2FA.

  • vikvance on 29/08/2021 - 07:56

    EDIT: ChiMot said that I should have received an SMS from provider asking if this port was authorised: see https://www.acma.gov.au/port-customers-phone-number
    If this had happened, this problem would NEVER have occured, so I think Aldimobile failed - I will be following this up with them!!

    The verification is actually supposed to be sent by the provider that you are porting TO and not the one you porting FROM.

    For example, my number is with Aldi Mobile right now, and someone requests Kogan Mobile to port my number to a new Kogan Mobile sim. It is then Kogan Mobile's responsibility to check that the person is the genuine owner of that number before they initiate the port. Aldi Mobile's responsibility is only to action the port in a prompt manner.

    The thing I'm trying to say is that if Aldi are your current provider (as seems to be the case) then they are blameless in this number-porting scenario.

  • Lurk Hartog on 29/08/2021 - 08:18
    +5

    This happened to me a few years ago with Optus. There had been mail theft from the block of units I lived in. They stole my replacement ING bank card on the mail, which stupidly has your account number printed on it.

    Then they did an in store sim replacement at an Optus store. The Optus store either didn't do their due diligence asking for ID, or the scammer had a fake ID with my address, or an Optus employee was crooked and taking kick backs.

    Some attempted withdrawals in Cabramatta were blocked. Thankfully, like OP, I realised what was happening as I was at home connected to wifi and started getting email alerts. If they do this while you're asleep, you end up with a much bigger mess to clean up.

    In the end I lost nothing, but it was stressful and I had to change a lot of accounts etc.

  • juzza87 on 29/08/2021 - 09:53
    +2

    OP please visit this website and see if your credentials have been leaked in any hacks: https://haveibeenpwned.com/

    After that if you use the same password for multiple accounts change it immediately, as if they had your Aldi they could try credential stuffing and get into your other accounts.

    I recommend a password manager like Bitwarden, using unique generated passwords for everything and a third party 2FA application. Avoid jailbreaking (iPhone), untrusted APKs (Android) and make sure your computers are safe by having the latest updates, a working antivirus and only trusted extensions in your browser/s.

    As for your physical ID being leaked I'm not sure what you could do except maybe request new documents with updated numbers (like license, medicare etc.).

    • GOCAT9 on 29/08/2021 - 20:25

      all good comments jussa87, thank you.
      I checked my phone number on haveibeenpwned and fortunately not pwned. My email address had, but I checked that a long time ago and it even reported 3 occurences way back then. I have no recent evidence that my email has been compromised.

      Fortunately, I never use same passwords anywhere. Yes, I am going to start using bitwarden or 1password from today. My PC has latest Trend Micro and I often run Malwarebytes.

      thank again for these strong suggestions, cheers.

  • lunchbox99 on 29/08/2021 - 09:54
    +8

    So much misinformation on this thread. Sim swap attacks do not rely on the users weak security - they rely on the PROVIDER'S weak security in not verifying the identify of the initial sim activation/swap request.

    So while not using mobile phone based 2FA will limit subsequent damage from a sim swap attack (by not allowing other accounts to have their 2FA intercepted), it will not prevent the sim swap itself.

    https://en.wikipedia.org/wiki/SIM_swap_scam

    In the US there was a push to make cellular providers require better ID verification and it was strongly resisted by the industry.

    I recently contacted commsec to complain that their 2FA is mobile number based and very large trading account balances are at risk due to this exact attack. I requested that they add authenticator app support and the ability to disable mobile number 2FA verification. Their response (as far as I know) was to do nothing.

    • Quantumcat on 29/08/2021 - 10:57
      +2

      I think all you can do (besides not use commsec) is get a new number on a longlife plan, and not give it to anyone or use it for anything else other than as commsec 2FA, and enable a code to be needed to do anything with the mobile account.

      Pretty poor of them to not allow app-based 2FA.

      • lunchbox99 on 29/08/2021 - 12:00

        You don't need to give it to anyone or use it for anything else. They randomly port active numbers. They can test if the number is actively simply by sending an sms to it.

        A user literally can do nothing to stop their number being taken over. It is 100% the responsibility of their provider to prove a person's identity before allowing a number to be changed.

        Commsec does allow app based 2FA (via their app), but as far as I know you can't disable mobile number 2FA. It does BOTH.

        • CyberMurning on 29/08/2021 - 12:15
          -1

          Correct. Your new number could be someone else number, It may be out there on dark web sold leaked years years ago.

          • Quantumcat on 29/08/2021 - 14:51

            @CyberMurning: It would not matter if your number was someone else's number, if they don't know who you are or what services are attached to that number it isn't going to do them any good to port it to themselves.

        • Quantumcat on 29/08/2021 - 14:48
          +1

          It actually does matter not giving it to anyone else. It doesn't help them to randomly port numbers, as they'd have no idea who they belong to or what services they are attached to.

          For it to be useful to port a number they need to know who a phone number is associated with - for example they are logging into an account they know the username and password to and need to be able to find out who the account belongs to and then find out what their phone number is to port it and do 2FA (you need 2FA if logging into an unfamiliar device for many services).

          They can find out what your phone number is by doing OSI (googling, looking at your linkedin, Facebook etc), or by breaching another service where you have also used the same phone number, or by having malware on someone's phone where you are a contact or hacking someone's email who has you as a contact. If you don't put that phone number anywhere on the internet (either publicly or as a 2FA to any other service) and don't give it to anyone they can't find out what it is. It would be overkill to do this for random small websites that don't have any credit card info but for something like commsec that could have hundreds of thousands of dollars of shares associated - worth it.

          A phone number used for 2FA should be treated like a password. Only reuse it and have it publicly available for services you don't care about and aren't attached to any money or sensitive info.

          • lunchbox99 on 29/08/2021 - 15:35
            +1

            @Quantumcat: As soon as they get your phone number they can reset your phone account - they then know who you are.

            This happened to one of my staff in 2020. Their phone number was hacked/ported due to Telstra shitty security. The hacker then reset their Telstra account password. They proceeded to use the registered Telstra email and phone to reset their google account. They then trolled gmail to find services they use and reset those accounts. it is a literally identity nightmare.

            Ironically Telstra made my staff member jump through many hoops to reclaim control of the account, which would have prevented it happening if they did this in the first place.

            • Quantumcat on 29/08/2021 - 17:10
              +1

              @lunchbox99: How did they get the account's email/username from just the phone number? If the phone number is not out on the internet they wouldn't be able to associate the two

              • lunchbox99 on 29/08/2021 - 20:28

                @Quantumcat: It's spelled out in black and white in the wiki link I posted. They start the other way around.

                "The scam begins with a fraudster gathering personal details about the victim, either by use of phishing emails, by buying them from organised criminals,[3] or by directly socially engineering the victim"

                It's well known. It even says Twitter CEO was hacked using this method. Frequently companies outsourced to provide support to the phone company leak the information or directly do the sim swap.

                I watch a few of those YouTube videos where scammers are scammed and it's not uncommon for the scammer to be traced to a business that provides support to multiple western comms firms.

                • Quantumcat on 29/08/2021 - 21:10
                  +2

                  @lunchbox99: You said

                  They randomly port active numbers.

                  I said that they need to start with details. Now you're saying they start with details. That is exactly what I said in the beginning. There's no scam that can be done by porting a number that you know nothing about. If you keep your number secret then they won't have details to go with it (unless the scam is by creating a phishing site to ask for your email, password and phone number/SMS 2FA code [after sending a request to the real site and then relaying what the user puts in to the real site] but then that isn't porting random numbers).

                  • lunchbox99 on 29/08/2021 - 21:24

                    @Quantumcat: Yes they can port random numbers. All it takes is someone at a telco to access your details (usually at an outsourced 3rd party). It has happened before. I will happen again. You think the twitter CEO publishes his personal phone number?

                    I don't care if you agree or not. You seem to be under some delusion that you're immune to this if you keep your number secret. Good for you. You're wrong, but keep living the delusion.

                    • Quantumcat on 29/08/2021 - 22:58
                      +1

                      @lunchbox99: The point is porting random numbers isn't going to help them use it for 2FA into an account 🤦‍♀️

                      If they are getting your details and phone number used for an account through phishing then that isn't porting a random number and using it to get into a 2FA-secured account.

                      • lunchbox99 on 30/08/2021 - 09:59

                        @Quantumcat: For the 10th time, they are porting random numbers. All they require is someone at the telco or external contractor (eg mobile phone shop or outsourced support) to leak details. They do not need to get it from the victim. Of course they can also get it from the victim via phishing, but it is not required.

                        This keeps going round in circles. Go read some articles about it. It happens. It happened to one of my staff without any interaction on their behalf (as far as they know).

                        • Quantumcat on 30/08/2021 - 10:23

                          @lunchbox99: You still don't understand. Porting a random number isn't going to give them your commsec username and password. Even if you get the email and password associated with the telstra or whatever account that isn't going to help you use it for 2FA on commsec. If they're going to get into your commsec account they will need your username/email, password, and the phone number you get 2FA on so they can use the corrupted external contractor you mentioned to port the number.

                          If you don't associate the phone number with yourself anywhere, once they have gotten your commsec username and password then what? What phone number do they ask the corrupted external contractor to port?

                          And if they ask the external contractor for a random phone number, how will that help them find the commsec username and password associated with that number?

                          • lunchbox99 on 30/08/2021 - 12:51

                            @Quantumcat: All someone needs is your name and DoB to gain a commsec client ID. In any case, if they use the ported number to get into your commsec linked email using mobile 2FA, the client ID is probably already there. I just checked my own email - commsec emailed my ID to my primary email account at some point. You then use commsec mobile 2FA to reset commsec pwd.

                            You still seem to arguing the angle that this doesn't happen, despite the obvious evidence that it does. But… I'm not your mother. Go research it. If you think there is zero risk, then fine.

                            You think not telling anyone your mobile makes you safe from this attack. It doesn't. YMMV

                            • Quantumcat on 30/08/2021 - 13:03

                              @lunchbox99:

                              All someone needs is your name and DoB to gain a commsec client ID

                              Incorrect. They also need your email, and access to that email.

                              I just tried it and it sends your client ID to your email address, and censors the email address. All you're going to achieve by porting a random number and also obtaining the first and last name and DOB for that phone number is the first two letters of the email address associated with the commsec account and the domain of that email. If you are smart enough to have a separate phone number for commsec you're probably also smart enough to use different emails for each important account also.

                              • lunchbox99 on 30/08/2021 - 13:41

                                @Quantumcat: After a sim swap the first thing they do is to take control of your email.

                                People can do all sorts of hypothetical things. You still seem hell bent on trying to prove this isn't a problem when it very clearly is a problem. I don't know what you're agenda is, but if you chose to believe this isn't a problem then fine.

                                I'm out. I don't think you have raised anything new and my job isn't to prove or disprove the validity of a well-known attack.

                                You seem to be completely missing the point. Mobile phone based 2FA is weak. Nobody should be using it. It is transmitted as plain text and is easily intercepted and/or taken over. The resistance of the phone industry in the US to making them more responsible for identity verification is because they argue mobile phone numbers were never designed to be a security device and this is reflected in the weaknesses around it's technical implementation. Phone companies also don't want the responsibility of being a gatekeeper in a chain of identity security.

                        • Jabba the Hutt on 30/08/2021 - 10:55
                          +2

                          @lunchbox99:

                          For the 10th time, they are porting random numbers. All they require is someone at the telco or external contractor (eg mobile phone shop or outsourced support) to leak details.

                          You're not talking about "random" numbers, then.

                          I think Quantumcat's original point is valid. While nothing's a guarantee, having a seperate, kept-as-secret-as-practicable number will significantly enhance security for accounts where SMS is the only 2FA option.

                          • lunchbox99 on 30/08/2021 - 12:41

                            @Jabba the Hutt: Random in the sense that it does not require the user to have done anything to leak info.

Login or Join to leave a comment
Login Join