Fraud on my O2 account

Daneel
Daneel Posts: 102 Forumite
Part of the Furniture 10 Posts Combo Breaker
I just got a call from my mobile network provider (O2), asking me if I had ordered a Nokia N95 a couple of weeks ago. I told them I hadn’t and was informed that someone had managed to get the password reset on my online account then ordered the phone online, delivered to an address that was not mine at a charge of ~£270 to my account.

They seem to (we’ll see what happens over the next few days) have dealt well with correcting this, refunding my account and not collecting the amount from my bank account this month (though, I had to raise this as a concern, they didn’t see that problem coming due to the bill having been sent out before the spotted the problem).

My larger concern however, is how the fraudster managed to get my password reset. Doing it via the website appears to be difficult, they send a code to my phone number as well as asking questions in order to reset. The lady I spoke to suggested that the fraudster had called O2 customer services and managed to get them to reset the password, and was given the new password…

I find that ludicrous from a security perspective so guess that either she is wrong (she was far from sure, not her area) or someone screwed up badly. What I want to know, is if the fraudster has any of my personal information, or he simply managed to fool a customer services person.

I think I’ll start with a call to customer services, but have a feeling I’ll need to put this in writing.

Does anyone have experience of this kind of fraud?
«1

Comments

  • hotkee
    hotkee Posts: 505 Forumite
    edited 15 May 2009 at 11:38AM
    Well at least they managed to work out that a fraud was being committed.

    As for information the fraudster might have, well that depends on the information on o2 online - and from my experience there is no direct financial information on offer online and bank details can not be obtained via the phone.

    How the fraudster got into your o2 account, well that is not necessarily o2 fault, someone might have your details (lets not call it ID fraud I hate that), someone knew enough about you to be able phone up and ask for an upgrade - now it might be someone you know or maybe someone who just got your details through internet scam etc.

    You might try working out where your details are online for a start and be even more careful than normal with your disposal of paper documents etc. Usual stuff - but at least you didnt lose out yourself, o2 have.

    PS - Lesson for o2 - don't give out information like that really. When I had trouble with signing on (forgetting password), have found o2 procedure to be rather tedious but more so their site annoying - but at least its more secure than telling someone password on the phone - thats naughty.
  • Sol00
    Sol00 Posts: 1,230 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    There is another option; that it was a member of staff, possibly leaving the job? They would have access to the account and could change things back after it was delivered.

    Just a thought.
  • parallax_20
    parallax_20 Posts: 546 Forumite
    ooooh....you all have criminal minds. I like the way you think! hahaha
  • iwanttosave_2
    iwanttosave_2 Posts: 34,292 Forumite
    10,000 Posts Combo Breaker
    As for passing security, if you fail on your password then the advisor will ask you more questions such as your last bill and the 3rd and 5th number of your account number.

    So realistically, if that person had took your bank statement they had the details they needed, once they have access to the account they could say "oh can I change my password to something I'll remember". Its not actually that difficult really.

    That said, I had a massive argument with a customer the other day because he couldn't answer any of these questions and he found it incredulous that I wouldn't allow him access to an account without proving he was the account holder. You can't please everyone.
    Work like you don't need money,
    Love like you've never been hurt,
    And dance like no one's watching
    Save the cheerleader, save the world!
  • asbokid
    asbokid Posts: 2,008 Forumite
    edited 15 May 2009 at 9:06PM
    Sol00 wrote: »
    There is another option; that it was a member of staff, possibly leaving the job? They would have access to the account and could change things back after it was delivered.

    Just a thought.

    And my first thought, too..

    And moreover, O2 had its own suspicion that the purchase was fraudulent.. Why would it think that? It's not the normal thing to suddenly assume that a transaction is fraudulent.. O2 has its own good reasons for contacting the customer to ask whether he had authorised the transaction..

    Something quite similar happened to me.. I was a victim of fraud in a bank.. I am quite sure the fraud was an inside job and that the bank covered it up to avoid the bad publicity.

    Many years ago, I opened a student account with NatWest at the Oxford Street branch of the bank in Liverpool 7..

    I used the account throughout my years as an undergraduate. During that time I was generally satisfied with the service I received at the branch. The staff weren't particularly friendly but then that's to be expected with NatWest.

    When I graduated, my NatWest account was no longer useful to me, and so I opened a new current account with another bank.

    I left the NatWest account in the black by a few pounds, just in case I should ever need to use it again.

    About five years later, my parents had a surprise call from NatWest. The woman from NatWest said that she needed to know my whereabouts. My parents explained that I had left home years ago. She left a message with my parents telling me to contact the bank urgently.

    Puzzled, I immediately called the number she had left.

    She told me that my old student account was substantially in the red, and that I must pay the money back immediately..

    I explained I hadn't used the account for at least five years, and that the account was a few pounds in the black the last time I had used it.

    "There must be a mistake", I said.

    "No, there is no mistake!", snapped the NatWest goon.

    "Well if it's not a mistake, then it's a fraud!", I said.

    "When was the last time you were in the Oxford Street branch of NatWest?", snapped the ghastly woman.

    "I haven't been to Liverpool for over five years", I replied..

    "Did you retain the cash card to your student account?", she probed.

    "I expect so.. but tell me, exactly what is all this about?"

    "You made a series of counter withdrawals from your [dormant] account. These withdrawals have left your account substantially overdrawn..", she claimed.

    "Oh dear.. well I certainly didn't make those withdrawals", I replied.

    "But can you prove you didn't make the withdrawals?", she pressed? "Do you have witnesses who can vouch that you were not in Liverpool at the time those withdrawals were made?"

    "Well tell me when the withdrawals were supposedly made, please", I asked.

    The NatWest goon supplied a series of dates about three months before when she said the unauthorised withdrawals were made.

    "As I told you, I haven't been to Liverpool for 5 years and those withdrawals certainly have nothing to do with me.."

    "But YOU can tell ME about this person who withdrew this money from my account", I demanded. "How did he identify himself?", I asked. "What identification documents did he show, to "prove" that he was me?"

    "I am not authorised to disclose that information" said the NatWest goon.

    "Oh, I see! And since my account has been dormant for five years, what on earth was the bank doing allowing anyone to withdraw from it, after all that time?"

    "I am not authorised to disclose that information."

    "Oh, I see! And why was a dormant account, showing no evidence of any incoming payments for years, allowed to go thousands of pounds in the red?"

    "I am not authorised to disclose that information."

    The NatWest goon terminated the call with the threat that the money "must be paid back" and that I would face a court action if I didn't pay it back. "We will be contacting you again shortly", she ended in saying.

    A few weeks passed.. I was getting worried, and called the bank to ask what was happening.. The short answer: nothing.. It's been resolved now, said the woman. The counter withdrawals were "accidentally" made against your account by someone who shares the same name as you, she claimed.

    I knew this was drivel... my name is quite unusual, and the likelihood of someone having an account of the same name, at the same branch of the same bank as I had previous used is, erm, approaching zero probability.

    Since it was all a "mistake", I called the bank and demanded an apology for the distress they had caused me..

    "Nope. I am not authorised to apologise to you." said another NatWest goon, "If you feel you are owed an apology, then you must request one in writing."

    And that was my experience of falling victim to a bank fraudster who pulled off an inside job at the Oxford Street branch of NatWest in Liverpool.

    For a bank insider, you can imagine how simple it is to orchestrate these sorts of frauds...

    Obtain a list of dormant accounts at the branch..
    Provide an accomplice with the details of those accounts
    At an agreed time, the accomplice makes a counter withdrawal, at the kiosk of a corrupt bank cashier.
    The cashier overrides any software alarms. Normally these would be triggered when the customer presents no identification, or when he attempts to withdraw from a dormant account, or when his withdrawal would leave an account heavily in the red..
    With all the safety mechanisms disabled by the rogue cashier, the accomplice leaves the branch with a large wodge of used bank notes..

    Elementary... my Dear Watson...
  • Sol00
    Sol00 Posts: 1,230 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    asbokid wrote: »
    "Nope. I am not authorised to apologise to you." said another NatWest goon, "If you feel you are owed an apology, then you must request one in writing."

    Please tell me you're joking with that quote. 'I'm not 'authorised' to give you an apology?' I can't believe even a bank would say that :rotfl:
  • asbokid
    asbokid Posts: 2,008 Forumite
    edited 15 May 2009 at 11:02PM
    Sol00 wrote: »
    Please tell me you're joking with that quote. 'I'm not 'authorised' to give you an apology?' I can't believe even a bank would say that :rotfl:

    Sadly it's true! NatWest said it was not the bank's policy to apologise in those circumstances. And I never did write and grovel for an apology from them!
  • Daneel
    Daneel Posts: 102 Forumite
    Part of the Furniture 10 Posts Combo Breaker
    Well, it's not the bank exactly, it's someone in a call centre being paid £5 an hour who will likely say "i am not authorised to do []" if you ask something that isn't on their script.

    I'll call O2 tomorrow, probably get the run around, at which point I'll write them a letter. I still can't work out how someone would have enough information to get O2 to reset the password unless it was an inside job as suggested, the security process is very weak, or the O2 person that did it messed up.
  • asbokid
    asbokid Posts: 2,008 Forumite
    Daneel wrote: »
    I'll call O2 tomorrow, probably get the run around, at which point I'll write them a letter. I still can't work out how someone would have enough information to get O2 to reset the password unless it was an inside job as suggested, the security process is very weak, or the O2 person that did it messed up.

    Yeah, definitely put it writing. The cops may get involved.

    Is it possible that someone installed a keystroke logger on your machine, or on a machine that you used to access your O2 online account. Do you access the internet from work, or from a public library, perhaps? Could your login details have been obtained in that way?

    Since O2 has been accommodating towards you, I suspect they know much more than they are letting on.. Perhaps they are aware that the password file on their authentication server has been compromised? If so, they would be aware that the fraud was much more than an isolated event, hence their willingness to trust your word.

    Have O2 outsourced their data management to an overseas contractor where, perhaps, data protection rules are not rigidly followed?

    You could perhaps contact the Information Commisioner, and/or file a Subject Access Request with O2 under the Data Protection Act.. You could explicitly ask them to provide the postal address where the phone was delivered, and ask them to retrieve from their server logs the IP address of the machine that was used to purchase this equipment from their online shop, and charge it to your account. However, I expect they would say that they can't provide this information since it may form part of a criminal investigation...

    Good luck.. Sounds like you have O2 on your side which is unusual(!)..
  • Daneel
    Daneel Posts: 102 Forumite
    Part of the Furniture 10 Posts Combo Breaker
    Thanks for your comments.

    Before today, I can't remember the last time I accessed my O2 account online (it's probably been 4-6 months). I'm familiar with computers (honours degree in computer science, build my computers myself and have many friends who are sys. admins and similar) so the chances of their being a key logger or any other kind of spyware on my computer (Vista 64 fully patched, behind a firewall + Symantec Corporate AV) are slim to none.

    All my passwords are held in a AES-256 encrypted .7z file that has a strong password and is accessed as required.

    There wasn't any question that it was me, the woman I spoke to started with the assumption that this was fraud.

    I'll start by calling them, one step at a time :)
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.2K Banking & Borrowing
  • 252.8K Reduce Debt & Boost Income
  • 453.1K Spending & Discounts
  • 243.1K Work, Benefits & Business
  • 597.5K Mortgages, Homes & Bills
  • 176.5K Life & Family
  • 256.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.