Mobile Phone Number Stolen and then used to access my Bank Account!

Bruce2k

Hello,

I hope this is posted in the correct place and that someone can help me!

In a nutshell, my phone number was stolen by a fraudster. Once they had control of my phone number, they reset my online banking details and transferred money from my account.

In detail, here is the full story (and timeline);

Tuesday 16th - I receive a text from my phone provider with my PAC code and notifying me that my number would be moved to a new provider within 48 hours. I called my phone provider and notified them that this was a fraudulent attempt to steal my number. They reassured me that my phone would remain and they would block the attempt and investigate the matter.

Wednesday 17th - about 24 hours after I received the text message, my phone went dead. I called my phone provider and they notified me that unfortunately they hadn't blocked the attempt and my number had been moved to another network. Agent again said they would notify the new provider to block the number and they would request it back. I was issued with a temporary number in the interim and the request to get my number back would take 48-72 hours. They assured me that there was nothing to worry about and they don't know why fraudsters try to steal phone numbers.

Friday 19th - I tried to login to my online banking but it had been blocked and there was a note to call their fraud team. I called the fraud team and they notified me that almost £3k had been transferred from my account and that I would need to go to my local branch with ID and proof of address. At this point I called my mobile provider for an update. They advised me that my number was still on another network and they hadn't completed their internal investigation.

Bank told me that they had the funds on block and they would return this to me within 2-3 days - no issue with my bank. They have been excellent.

Obviously I wasn't happy with the detail from my phone provider. They refused to give me any information on what personal information the fraudster held of mine, or what details they revealed. I escalated the matter with the Agent on the phone (after 30 minutes on hold, and 45 minutes of going around in circles with detail) to a complaint handler whose attitude towards the complaint was pretty poor. They refused to give any detail or admit any fault. They claim they followed protocol.

Tuesday 23rd - mobile phone number was returned to me.

To this day, I still have not received any updates on their investigation, had all requests for information denied and pretty much told that once the phone number was returned that would be the end of it.

Obviously I really want to pursue this to find out exactly what happened, and why it was so easy to port my number to another network. I really want to find out what details the fraudster had about me so I can prevent fraud going forward.

What I do know from mobile phone provider is that their security protocol checks for the following information as security;

Name
Address

The callers then need to verify the password on the account. If you do not know the password the following questions are asked;

Phone Make and Model
Place Where Contract was Bought

If you do not know this information they will ask for the bank account number linked to the account.

Phone provider has almost (with extreme pressure from me) hinted that the fraudsters didn't know the Phone Make and Model or Place Where Contract was Bought.

I suspect (or they want me to believe) that someone had my bank details all along and that they are not to blame. I had at that point, told them that my bank account had been compromised via my phone.

I have already reported this to Action Fraud UK, who advised me that technically Identifty Theft isn't a crime until I become liable financially (at the moment I am not). I've also contacted the ICO, aswell as OFCOM to ask about various rights and responsibilities in this instance.

ICO have said that I should request as much data (as well as compensation) as I like, and if phone provider does not comply then escalate the complaint with OFCOM.

I want to pen an email to phone provider tomorrow and would like some legal advice on what to input! So far, I have requested the following;
Electronic Copy of the call to phone provider on 16/07 in which Security Protocol was breached and PAC Code requested
A Copy of my own Personal Data which phone provider may have shared with Third Parties including but not limited to Credit Agencies, Phone Providers, Marketing Companies and any other Third Party
Phone Unlock Code at sole cost to phone provider; I will obviously switch network myself and have cancelled my direct debits
To resolve this complaint with phone provider, I require the following;
Phone Proivder to place a Cifas Marker on my Credit Report; which can only be removed by me at my time of choosing - ICO advised me to do this; is it relevant or worthwhile?
Detailed report from phone provider which confirms there has been a review of security protocol with recommended actions to prevent future similar instances of identity theft
Release from my remaining contract with phone provider; with all associated fees the sole responsibility of phone provider
Acknowledgment of fault and apology by phone provider for inconvenience caused
Compensation of £XXX - I'm not so bothered about the compensation part here. All I want to be be free of phone provider and them to admit fault/apologise. But ICO were very adamant that I would be entitled to compensation of some sort. Is there precedent on how much I could potentially ask for? I have noted some phone providers have paid out large amounts in the past for fraud on customer accounts but unsure if the circumstances are similar to my own.
I also don't know how to check if there are other things the fraudster would have applied for in my name such as credit etc - is there any way I can check this?

Hope to hear from you soon!

bris

A bit long to read so no point reading it all, but to the point.


How did they get your bank details including your security question, pin numbers etc to access your account, a phone number can't do that.


There's a bit more to this than just a phone number.

mattvolatile

Your phone number absolutely can do that, as we're in an era where your phone number is increasingly used as a last-line mode of identity authentication -- ever had authentication codes or reset reminders sent to you by text? Fraudsters can steal your phone number with some social engineering tricks. With that, if they know your email address, they can reset the password on your email account, which will then reveal to them what bank you're with. With full access to your email address and phone number, they can likely use "Forgot Password" functions to gain access to your online banking. As we all regularly provide our email addresses and phone numbers to all kinds of services to which we subscribe, data breaches can easily put this information in the hands of criminals.

Google "SIM Swap" or check Brian Krebs' articles at Krebs on Security.

One way to mitigate the risk of this increasingly popular attack is to use physical authentication on your primary email address.

mattvolatile

I'm amazed that your provider told you that they didn't know why fraudsters steal phone numbers. It's an increasingly popular form of identity theft as your phone number is often the last line of authentication for email and online banking accounts.

You've been the victim of a SIM swap, OP. Change the passwords on your email accounts urgently and investigate usb key authentication for all your important online accounts.

Your phone provider is ultimately at fault here, so you need to focus your complaints on them. Google "SIM Swap complaints" or "SIM swap fraud UK" for more advice.

Bruce2k

Thanks for your reply.

Yes; I believe they just didn't want to admit liability in this case so have denied that this in an ongoing issue.

Thanks for your advice - I have looked at some articles on SIM Swaps, which explains the detail. Is there precedent for compensation for victims?

BoGoF

For someone thats "not so bothered on the compensation part" that's all you seem to be interested in.

Bruce2k

Not particularly; what I mainly want is to move away from provider and not have to pay an early exit penalty. I have no trust in mobile provider to protect data at this stage.

Of course, if there is a recommended standard compensation advised as precedence, why would I not ask for it? What I have asked for on this forum is if there is precedence - nothing else.

SharronF72

I'm interested in knowing what happened next and if you suffered further fraud. I've just had EXACTLY the same thing happen to me this week, and I have taken a huge amount of evasive steps, but I am anxious there might be something I haven't thought of..
Thanks

Bruce2k wrote: »

Hello,

I hope this is posted in the correct place and that someone can help me!

In a nutshell, my phone number was stolen by a fraudster. Once they had control of my phone number, they reset my online banking details and transferred money from my account.

In detail, here is the full story (and timeline);

Tuesday 16th - I receive a text from my phone provider with my PAC code and notifying me that my number would be moved to a new provider within 48 hours. I called my phone provider and notified them that this was a fraudulent attempt to steal my number. They reassured me that my phone would remain and they would block the attempt and investigate the matter.

Wednesday 17th - about 24 hours after I received the text message, my phone went dead. I called my phone provider and they notified me that unfortunately they hadn't blocked the attempt and my number had been moved to another network. Agent again said they would notify the new provider to block the number and they would request it back. I was issued with a temporary number in the interim and the request to get my number back would take 48-72 hours. They assured me that there was nothing to worry about and they don't know why fraudsters try to steal phone numbers.

Friday 19th - I tried to login to my online banking but it had been blocked and there was a note to call their fraud team. I called the fraud team and they notified me that almost £3k had been transferred from my account and that I would need to go to my local branch with ID and proof of address. At this point I called my mobile provider for an update. They advised me that my number was still on another network and they hadn't completed their internal investigation.

Bank told me that they had the funds on block and they would return this to me within 2-3 days - no issue with my bank. They have been excellent.

Obviously I wasn't happy with the detail from my phone provider. They refused to give me any information on what personal information the fraudster held of mine, or what details they revealed. I escalated the matter with the Agent on the phone (after 30 minutes on hold, and 45 minutes of going around in circles with detail) to a complaint handler whose attitude towards the complaint was pretty poor. They refused to give any detail or admit any fault. They claim they followed protocol.

Tuesday 23rd - mobile phone number was returned to me.

To this day, I still have not received any updates on their investigation, had all requests for information denied and pretty much told that once the phone number was returned that would be the end of it.

Obviously I really want to pursue this to find out exactly what happened, and why it was so easy to port my number to another network. I really want to find out what details the fraudster had about me so I can prevent fraud going forward.

What I do know from mobile phone provider is that their security protocol checks for the following information as security;

Name
Address

The callers then need to verify the password on the account. If you do not know the password the following questions are asked;

Phone Make and Model
Place Where Contract was Bought

If you do not know this information they will ask for the bank account number linked to the account.

Phone provider has almost (with extreme pressure from me) hinted that the fraudsters didn't know the Phone Make and Model or Place Where Contract was Bought.

I suspect (or they want me to believe) that someone had my bank details all along and that they are not to blame. I had at that point, told them that my bank account had been compromised via my phone.

I have already reported this to Action Fraud UK, who advised me that technically Identifty Theft isn't a crime until I become liable financially (at the moment I am not). I've also contacted the ICO, aswell as OFCOM to ask about various rights and responsibilities in this instance.

ICO have said that I should request as much data (as well as compensation) as I like, and if phone provider does not comply then escalate the complaint with OFCOM.

I want to pen an email to phone provider tomorrow and would like some legal advice on what to input! So far, I have requested the following;
Electronic Copy of the call to phone provider on 16/07 in which Security Protocol was breached and PAC Code requested
A Copy of my own Personal Data which phone provider may have shared with Third Parties including but not limited to Credit Agencies, Phone Providers, Marketing Companies and any other Third Party
Phone Unlock Code at sole cost to phone provider; I will obviously switch network myself and have cancelled my direct debits
To resolve this complaint with phone provider, I require the following;
Phone Proivder to place a Cifas Marker on my Credit Report; which can only be removed by me at my time of choosing - ICO advised me to do this; is it relevant or worthwhile?
Detailed report from phone provider which confirms there has been a review of security protocol with recommended actions to prevent future similar instances of identity theft
Release from my remaining contract with phone provider; with all associated fees the sole responsibility of phone provider
Acknowledgment of fault and apology by phone provider for inconvenience caused
Compensation of £XXX - I'm not so bothered about the compensation part here. All I want to be be free of phone provider and them to admit fault/apologise. But ICO were very adamant that I would be entitled to compensation of some sort. Is there precedent on how much I could potentially ask for? I have noted some phone providers have paid out large amounts in the past for fraud on customer accounts but unsure if the circumstances are similar to my own.
I also don't know how to check if there are other things the fraudster would have applied for in my name such as credit etc - is there any way I can check this?

Hope to hear from you soon!

TadleyBaggie

Bruce logged off on the 29th July and never came back.

nyermen

With EE, if I go instore they ask for ID even to change sim card. I wonder if there's a loophole in the pac code system.

OP (and later, since this is a thread bump). 90% sure you need to look close to home, or its a more complex scam (computer infected, etc). They need to know a lot of info, and then more with your bank, to do what they've done.

I say 90% because only thing I can think of is - some mobile providers online accounts do show your current make and mode, as well as having redacted details of your direct debit on bills. One password hack, and they could have enough to pass security to get pac code, and they may know your bank as well (first two digits of sort code are enough).
Yes tinfoil hat moment perhaps. My excuse is i've had to work the last two weekends straight, urgh. Really looking forward my time off next week