Surprise text you don’t want
IF THERE'S one unexpected text message you really don't want to get, it's from your telco informing you that your number is being ported to a different carrier.
If you're unlucky, you'll see it too late and have the sinking realisation that someone is trawling through your accounts. That's what happened to Sarah last week.
"At about midday on Friday, my phone went into SOS mode," she said. At first she thought she had simply lost reception but when she happened to check her emails she realised something more sinister was going on.
It was then she noticed a security alert from her Google account saying her password had been changed. Someone had stolen her Vodafone number and moved it to smaller provider Lebara and begun going through her accounts.
"They had gone ahead and ordered a transaction on my PayPal account," the Sydney woman told news.com.au.
After effectively having her identity stolen, she says she was left "very shaken up."
"I am really scared in the sense that personally my information is out there," she said.
Sarah isn't actually her real name as she requested privacy after going through the ordeal and she still holds out hope the police will catch the person responsible and didn't want to jeopardise their efforts.
Mobile number portability is the ability to take your existing mobile number to a new service with a new provider. But many believe it is too easy to do, allowing fraudsters and criminals to illegally port a victim's numbers and use it to gain access to their accounts which are often protected by two-factor authentication.
Often perpetrators of fraud just need a date of birth or account number, along with the mobile number, to port the number to a new provider and take control of it.
Sarah was at work and didn't see the text in time to stop her number being stolen.
"There are some serious data breaches happening in this country. They have your number, they have your email and if they get your personal information they can do anything," Sarah said.
She was on a 24 month contract with Vodafone when it happened. She got her number back earlier this week but doesn't feel comfortable keeping it and says she will likely change it.
The same thing happened to Liz last month, who works for the federal government's Department of Human Services. She had her Telstra number illegally ported and $4160 withdrawn from her bank account shortly afterwards.
"I definitely didn't receive a confirmation text. I did receive a 6 digit verification code however," she told news.com.au. "Because I got that verification code, it meant that the fraudsters didn't so how could the Telstra operator continue the call and request?"
News.com.au has spoken with multiple victims of illegal phone porting in the past year who had to spend days dealing with banks, phone companies and authorities to sort out the problem, often needing to freeze their accounts for days.
One woman believed more than 30 of her friends and associates had their personal accounts compromised stemming from her number being ported against her will.
Like Sarah, victims are typically targeted on Friday making it harder for them to deal with cleaning up the mess as businesses operate with fewer staff over the weekend.
"When I went into Vodafone, they said my account wasn't even there," Sarah said. "I'm not sure it'll be taken very seriously … But it is serious identity theft. Anyone can be vulnerable to it, you give your number to so many people."
She is planning to start a group to spread awareness and put pressure on providers to make porting mobile numbers a more stringent procedure.
Despite a steady stream of disgruntled customers like her, telcos say their practices comply with industry standards.
Those standards are derived from a combination of formal government regulation and industry-wide self regulation which is ultimately co-ordinated and governed by the Australian Communications and Media Authority (ACMA), the consumer watchdog ACCC and the Communications Alliance.
Proactive consumers can request a note be made on their account by telco staff to boost identity checks such as a private PIN but few do until they are targeted.
Telcos will typically send a text and email to the account holder informing them of the porting request but giving them little time to prevent it. Porting procedures vary between carriers but it requires shockingly little information to make such a potentially disruptive change.
When it happened to ABC journalist Tracey Holmes last year, she speculated that someone had stolen her mail to get the necessary information.
The Telstra-owned virtual mobile carrier Belong sends a PIN code to the number being ported before it can progress with the request however Telstra does not.
"Telstra understands that fraudsters may move numbers between carriers should they have the right information about a customer," a Telstra spokesman told news.com.au.
"As a result of this, Telstra has increased its controls within regulation and industry rules, by ensuring the customer for who we have received a port out request is informed of this by SMS before the port out occurs."
Dr Terry Goldsworthy is a former detective inspector for the Queensland police who now works as an assistant professor at Bond University. He began researching the prevalence of illegal porting last year.
He believes there has been a regulatory failure in Australia when it comes to dealing with the issue. Because there is a lack of public data on this particular type of fraud, he believes it is happening much more than we know.
HOW TO PROTECT YOURSELF
• Talk to your provider and your bank to set up a secret PIN number or password to identify yourself when you call them or deal with them in person.
• Use strong privacy settings on social media sites to limit the information you share, particularly your date of birth.
• Ensure you have a strong password online and separate passwords for every account by using a password manager.
• Install antivirus software on your computer, tablet and smartphone to ensure your devices are protected from hackers and regularly run antivirus scans.