Hacker Steals Sydney Man's Life Savings after Simjacking

This has quite a few elements of an OzB member.. suprised it hasn't made the have I been scammed forum yet ….

iPhone 12 Pro
ZipPay
AfterPay
ING account

Comments

  • "A hacker was permitted to use private details and activate an eSIM using just the Optus online message system,…"

    So would this have worked with a normal SIM?

    "Once the hacker had his phone number, they took control of all his bank accounts, raised the spend limit of a ZipPay account, attempted to do the same on his AfterPay account, and gained access to all his immigration documentation, including his UK passport."

    How could you do all that just with a phone number? Wouldn't you need login details for bank accounts etc?

    I'm not doubting the events, just curious as to how the crooks can accomplish all of that just with a phone number?
    If a person did no banking or sensitive stuff on their phone would they still be vulnerable to these types of criminals?

    • Me too, it's not like they had access to the physical phone, which may have had the bank accounts recorded in banking apps etc, or email addresses in an email app.

      • I've been doing some reading and apparently if they hijack your number they can use it to compromise your accounts using 2FA (sms, not a 3rd party app like authy etc). But I still don't know how would even know what banks you had accounts with? Or had your primary/banking email address?

        Doesn't make sense. Now if they stole your actual phone and you had that info on there then I could understand it.

        • +1

          Maybe they logged into gmail with their phone number?

        • I try to avoid SMS 2FA as much as possible because it's not secure, my guess is they tried every bank until they got a hit, or maybe they did some social engineering and rang up. I really wish the banks would move away from SMS 2FA, but then again, imagine having your average person try to use an authenticator app or a hardware key like Yubikey… I really wish they'd change it to an authenticator app or hardware key.

          As Skid said, maybe they found those accounts in their e-mail/G-mail inbox?

          • @Ultimate Gattai: Set up at least two Gmails. Never use the one that you store all the login details to register any service, no exposure no attack. It is the restoration email for all the other ones.

  • +1

    This had happened to me on Optus network multiple times. My number ported out to other telcos 7 to 8 times and each time I had to contact Optus to get it back. In this process, I lost around 15 to 20k which the bank returned thankfully after investigation. But I had to change my number to avoid porting out again.

    • How did they get to your bank account only with a phone number?

      • I really don’t know, but they got access to all linked accounts to my phone by changing the password.

        • OK. So if I don't do any banking or financial stuff with my phone am I still vulnerable somehow?

          • +3

            @EightImmortals: If you use a yubikey or 2FA app on your phone like Google authenticator you shouldn't have to worry. To compromise you a crook would need access to your phone physically and also be able to unlock it (or your yubikey).

            Personally I don't use sms authentication for anything I care about

        • Have you ever lost, lent, had stolen, or sold a phone, tablet or computer that you’d used for banking?

          • +1

            @BigBirdy: @BigBirdy, none of the above. I am assuming my details (bank, email, DOB, etc, etc) were compromised either from the recruitment agency or mortgage brokers whom I was dealing with back then.

            My number was ported out from Optus to another service provider number of times a day before I was flying overseas. I am not sure how they came to know about the bank I was with, but used my number to reset the password, register their mobile device on online banking app and did cashless transactions. They also ordered a new credit card while I was overseas to a different address (which I came to know later) and used it at major retail outlets before it was blocked by the bank. Thankfully, the bank did pay me out after investigation, but it was a fightful experience. I was overall very happy with the bank's outcome, but Optus were very hard to deal with as I was in a contract and each time my number would port out, I spent hours on chat to convince that it wasnt me doing it. They charged me with contract break fees, but returned it when I approached. I eventually had to move away from Optus because they could not stop number hijacking at their end.
            Note: I had 2FA on all my email accounts and this was the reason they could not access any of them.

  • Services deemed to be higher risk transactions, such as the issuing of eSims, are understood to require further authentication through knowledge-based questions.

    Bigger question would be how they got the information to pass authentication and/or how lax was the authentication process.

  • -4

    His hard-earned lifesavings, around $35,000, would also soon vanish, siphoned off by a hacker to a cryptocurrency exchange and then converted into untraceable Bitcoin.

    I've said this many times before.

    Users should always practice safe risk management and keep their assets in cold wallets until they're ready to spend them.

    Cold wallet > Tx to CEX > swap token > spend > Tx leftover tokens to cold wallet
    https://www.ozbargain.com.au/comment/11643042/redir

    • So your'e suggest an under the mattress approach rather than a bank account?

      • I'm suggesting people read my post as many times as they need to understand risk management.

        • +3

          But he didn't have any crypto to cold store initially..

          • +1

            @randomusername2017:

            ANZ returned $26,000 and ING another $4000. Following an investigation by Bendigo Bank, Mr Donnelly will be refunded another $1600.

            Centralized networks like top tier legacy banks and CEX are not safe. The three legacy banks and the CEX failed miserably in their security.

        • +3

          I think I understand risk management. For instance, I would never take advice from some nobody in an on-line forum who consistently spruiks " investment options - "it worked for me!" that carry no guarantee or legislative oversight and have absolutely no options for recovery should they be lost, stolen or the nebulous organisation handling them dissapear.

  • +1

    And for the love of Satoshi, get rid of sim 2FA. It's 💩.

  • +1

    Or just never use your phone for anything that requires security like banking, insurance… just use it for photos and phone calls. Im still happy to go to the teller

    • +1

      Yea, because walking into a bank wearing a mask, producing a bank card with no photo or fingerprint to make a withdrawal using, at most, a PIN number, is so much more secure than a phone using 2FA with biometrics and a PIN. Do you also still pay bills with cash or personal cheque because you don’t trust electronic transfers?

    • +1

      If you think the teller is safe listen to this podcast episode https://podcasts.apple.com/au/podcast/how-hacks-happen/id158… and more specifically the Australian guy's story.

  • +6

    still pissed of shopback leak

  • who was it?

    Mark Donnelly, it seems

  • as Bart said…I didn't do it.

  • +1

    This is because banks have to using their own 2FA and started using SMS. this is lazy. HSBC uses to have a dongle that would give a unique code when pressed. No hacking while that was in place.

    Now they are going to make the telcos set up 3FA (yes 3) in April to make SIM jacking etc harder. Want to check your mobile balance? Get ready for a while lot of pain….

    • +1

      It's good that banks are making their Apps more difficult to use.

      May be that will stop users from getting scammed.

      • +1

        I'm all for it, ever tried teaching people to use an Authenticator app or Hardware Key? They don't want to because it's inconvenient, I'd rather the inconvenience instead of being stolen from, 3FA is going to be a pain for me, but if that's what it takes now, so be it.

  • +3

    I find the article badly written and poorly researched in terms of how these scams work. Consider the following:

    "Hackers had turned their focus to simjacking after a long-favoured and lucrative technique known as "porting" was shut down, she said, following a spike in attacks and more stringent security protocols and measures being applied by telcos.

    Porting also allows hackers to take control of someone's phone."

    The two are basically the same (other than porting may be across different telcos), and porting does not allow someone to take control of your phone. How does losing your number /cellular service result in a loss of control of your phone?

    • +1

      You can't blame the reporter. They may have majored in English and/or journalism but most of them don't know a lick of technology.

  • more bad news, scams let through by lax security when porting to eSim
    https://www.news.com.au/finance/money/costs/sydney-couple-lo…

Login or Join to leave a comment