HyperJar, fraudsters stole kids money

up-north-eng

It’s been a heck of a week, my email has been accessed by fraudsters and, worse than that, they’ve managed to Sim swap me and steal my phone number. So that’s 2 factor authentication right there. Most companies I’ve had to deal with over the past couple of days have been great, especially PayPal. I’m still waiting to see if EE are going to cancel the £200 charges ran on my account in the 6 hours they had my phone number but the one that’s really bugging me is HyperJar. They’ve stole £45 of the kids pocket money and HyperJar just don’t care. I’ve asked them to investigate and they’ve said they found no fraudulent activity and are closing my account as per their terms and conditions. That’s it. The fraudsters have gone in, changed my linked bank account to theirs, (I have a screen shot of their sort and account number) then emptied all funds. HyperJar say they saw no fraudulent activity, are not liable, that the email address and phone number used on the account have been the same throughout the lifecycle of the account…. Here’s the kicker, they’ve said all remaining funds (about 3 pence) will be sent you your registered account and the account closed, they’re sending it to the fraudsters account! 🙈🙈. My question is where do I stand on any of this? Obviously given the callous nature of Hyperjars approach I’ll never be using them again but do they have a duty to investigate this properly?  

Aylesbury_Duck

up-north-eng said:

It’s been a heck of a week, my email has been accessed by fraudsters and, worse than that, they’ve managed to Sim swap me and steal my phone number. So that’s 2 factor authentication right there. Most companies I’ve had to deal with over the past couple of days have been great, especially PayPal. I’m still waiting to see if EE are going to cancel the £200 charges ran on my account in the 6 hours they had my phone number but the one that’s really bugging me is HyperJar. They’ve stole £45 of the kids pocket money and HyperJar just don’t care. I’ve asked them to investigate and they’ve said they found no fraudulent activity and are closing my account as per their terms and conditions. That’s it. The fraudsters have gone in, changed my linked bank account to theirs, (I have a screen shot of their sort and account number) then emptied all funds. HyperJar say they saw no fraudulent activity, are not liable, that the email address and phone number used on the account have been the same throughout the lifecycle of the account…. Here’s the kicker, they’ve said all remaining funds (about 3 pence) will be sent you your registered account and the account closed, they’re sending it to the fraudsters account! 🙈🙈. My question is where do I stand on any of this? Obviously given the callous nature of Hyperjars approach I’ll never be using them again but do they have a duty to investigate this properly?  

How was your email accessed?  Did you not have two-factor authorisation on the account in the first place?  Presumably Hyperjar's contention is that you allowed your account to be accessed by a third party, which is not their fault.

Do you use the same email and password for other accounts?  If so, get changing them as a matter of urgency, you may yet find other accounts compromised.

sheramber

How did they get your PIN /Passcode for Hyperjar?

Stenwold

up-north-eng said:

It’s been a heck of a week, my email has been accessed by fraudsters and, worse than that, they’ve managed to Sim swap me and steal my phone number. So that’s 2 factor authentication right there. Most companies I’ve had to deal with over the past couple of days have been great, especially PayPal. I’m still waiting to see if EE are going to cancel the £200 charges ran on my account in the 6 hours they had my phone number but the one that’s really bugging me is HyperJar. They’ve stole £45 of the kids pocket money and HyperJar just don’t care. I’ve asked them to investigate and they’ve said they found no fraudulent activity and are closing my account as per their terms and conditions. That’s it. The fraudsters have gone in, changed my linked bank account to theirs, (I have a screen shot of their sort and account number) then emptied all funds. HyperJar say they saw no fraudulent activity, are not liable, that the email address and phone number used on the account have been the same throughout the lifecycle of the account…. Here’s the kicker, they’ve said all remaining funds (about 3 pence) will be sent you your registered account and the account closed, they’re sending it to the fraudsters account! 🙈🙈. My question is where do I stand on any of this? Obviously given the callous nature of Hyperjars approach I’ll never be using them again but do they have a duty to investigate this properly?  

Sorry you've had to go through this!!

For some reason, a lot of users on these forums automatically revert to victim blaming when discussing fraudulent activity (and then the inevitable follow up comments justifying their behaviour blah blah blah).

The best thing to do is make a formal complaint with Hyperjar and just go through the motions until you get a final response from them, at which point take it to the Financial Ombudsman Service to investigate. Make sure you keep a record of all correspondence and screen shots as they will help the investigation. Just be prepared that it'll take a while for FOS to get to it.

Good luck   

Bradden

Considering they promote cards for children it seems pretty poor service.

born_again

up-north-eng said:

It’s been a heck of a week, my email has been accessed by fraudsters and, worse than that, they’ve managed to Sim swap me and steal my phone number. So that’s 2 factor authentication right there. Most companies I’ve had to deal with over the past couple of days have been great, especially PayPal. I’m still waiting to see if EE are going to cancel the £200 charges ran on my account in the 6 hours they had my phone number but the one that’s really bugging me is HyperJar. They’ve stole £45 of the kids pocket money and HyperJar just don’t care. I’ve asked them to investigate and they’ve said they found no fraudulent activity and are closing my account as per their terms and conditions. That’s it. The fraudsters have gone in, changed my linked bank account to theirs, (I have a screen shot of their sort and account number) then emptied all funds. HyperJar say they saw no fraudulent activity, are not liable, that the email address and phone number used on the account have been the same throughout the lifecycle of the account…. Here’s the kicker, they’ve said all remaining funds (about 3 pence) will be sent you your registered account and the account closed, they’re sending it to the fraudsters account! 🙈🙈. My question is where do I stand on any of this? Obviously given the callous nature of Hyperjars approach I’ll never be using them again but do they have a duty to investigate this properly?  

Sadly they have investigated this & found that the phone number was your number. They have nothing else to go on. Banks do not involve the police & do not have any further investigation powers.
All they will do is check their systems. 
As someone else mentioned, just how did they get into the account. As surely there must be some security (password etc) to get in to change anything. Or even top up account?

Agree with above you need to complain & see if you can get proof from (EE I take it) that this was a Sim Swap fraud. That may prompt a better response.
Just how much was taken?

up-north-eng

Thanks to those that have replied with something constructive to say. (I’d expect better from those with over 10k posts 😬) The amount taken isn’t a lot, around £40. My issue is their disregard to investigate properly when even I can clearly see the linked bank account was changed twice in a few hours and all money removed. They actually informed me they were closing the account BEFORE I registered a fraud issue. So they must know something is up as that’s pretty random. I’ve offered proof from EE but they’ve stopped responding to emails and there’s no contact number. I’ve now referred the to the Ombudsman, not for the money back, but for their disregard to my concerns and frankly callous nature towards a victim of crime. 

km1500

Just to possibly help others would it be possible if you gave an indication of how they managed to do a SIM swap and get access to your phone number. thank.you.

Aylesbury_Duck

up-north-eng said:

Thanks to those that have replied with something constructive to say. (I’d expect better from those with over 10k posts 😬) The amount taken isn’t a lot, around £40. My issue is their disregard to investigate properly when even I can clearly see the linked bank account was changed twice in a few hours and all money removed. They actually informed me they were closing the account BEFORE I registered a fraud issue. So they must know something is up as that’s pretty random. I’ve offered proof from EE but they’ve stopped responding to emails and there’s no contact number. I’ve now referred the to the Ombudsman, not for the money back, but for their disregard to my concerns and frankly callous nature towards a victim of crime. 

You might not like the questions people have asked, but they're relevant, and you did ask where you stand.  If you've been negligent in your IT/phone security, that affects where you stand and what you're entitled to.  It's also a warning that you may face problems with other accounts that haven't materialised yet.  If you've been as secure as possible, and are able to show that, then you stand a much stronger chance of enforcing your desired outcome.

up-north-eng

I’ve no idea how they’ve gained access to either my email or EE account, they’re both different passwords (and have since been changed again). I’ve also gone through every email received in that time and changed the password of every thing he’s accessed. How they sim swapped me was by logging in to EE, downloading an eSim, and requesting it be transferred. EE’s security questions were…

What is your name?
What is your phone number?

Absolutely shocking, no 2 factor, no mothers maiden name etc and no “we’ll send you a pin” Just name and number. I’ve gone back and read the webchat he made to do it. I’ve asked that all future eSim requests be blocked, I’d rather walk to the shop and get one in person.

Alderbank

^^This.^^
That's how it's done. Easy as that.

There was discussion about this in the technical press when eSims started to appear a few years ago.
An example is here from Roger Entner, an industry expert:
https://www.fiercewireless.com/tech/could-esim-technology-make-your-smartphone-less-secure

According to Entner, when carriers move to eSIM, hackers may continue to call them and "ask them to transfer your number to a new device." He said hackers might be able to give the carrier the IMEI number for the new device and convince the customer service representative to make the change. "It all depends on how lazy and how unmotivated the carrier employee is to actually follow the rules," he said. "Sometimes these people are just trying to please the customer, and instead of pleasing the customer they please the criminal." 

It is your call as to whether EE customer service representatives are 'lazy and unmotivated'. I couldn't possibly comment.