Lebara SIM Swap Fraud

hackedandangry

For Lebara customers and potentially new customers, did you know they can do an instant SIM swap without any warning? 

I lost network on Tuesday evening, found out Wednesday they had done a SIM swap. Apparently my email has been hacked and someone filled in a form online. They don't text to verify it's a legit request, no 2fa, nothing, it was an instant swap. 

So having made then aware the SIM swap was fraudulent, they said they'd send me a new SIM through the post, all would be back to normal. I asked for them to block my number and to do no further swaps. 

I received my new SIM Thursday but it wasn't working. I called and was told I'd need to be reactivated in the Vodafone network which would take 48 hrs. Still no network today but called my phone number yesterday, it is with EE! They ported my number out after I had reported the fraud and after me telling them to do no further swaps. 

I called EE who confirmed the swap was done Thursday morning so Lebara have enabled fraud, my banks have been hacked and Lebara have lied continuously to me. 

Do not stick with this company, you'll lose your identity, your email, your banks, hours of your time trying to get back your number, trying to prove who you are, it's neverending and I wouldn't wish this on anyone. 

TadleyBaggie

Seems the root of the problem was likely weak security on your part regarding your email account.

hackedandangry

TadleyBaggie said:

Seems the root of the problem was likely weak security on your part regarding your email account.

My email was secure, 2fa set up.

How about them porting my number after I reported fraud? Is that weak on my part? And the lies I've been told that my SIM would work, that I'll get it back in 48 hours, by the end of the next day, is that weak on my part? Or the lack of notification it was happening, is that also my fault? With SIM card fraud up 1000%, do you not think there should be 2fa? Or at the least, a text to confirm it was going to happen? 

Exodi

hackedandangry said:

TadleyBaggie said:

Seems the root of the problem was likely weak security on your part regarding your email account.

My email was secure, 2fa set up.

How about them porting my number after I reported fraud? Is that weak on my part? And the lies I've been told that my SIM would work, that I'll get it back in 48 hours, by the end of the next day, is that weak on my part? Or the lack of notification it was happening, is that also my fault? With SIM card fraud up 1000%, do you not think there should be 2fa? Or at the least, a text to confirm it was going to happen? 

I appreciate you're rightly quite emotional but the email compromise was the root cause, it's not unreasonable to identify that.

You say you had 2FA set up on your email account - what was the second authentication method?

I'm not trying to catch you out here, but as they needed access to your email to perform the SIM swap, this suggests it couldn't have been your phone, which implies you either had an authenticator or a backup email that I'd be concerned have also been compromised. Either that or could you have been socially engineered to provide access? Or you didn't have 2FA set up, I guess.

Have you regained control of your email account (including changing security details to remove your old number)?

In reality, effectively no-one is 'hacked' in the sense that most people interpret it (as in a scammer is able to brute-force access to a secure account). Most 'hackings' occur where the victims details are leaked from a data breach from a third party website (and the victim uses the same details across multiple accounts without 2FA)  or where they are socially engineered to provide the security details (e.g. the scammers pretends to be from your bank).

While most SIM swaps are done because of a lost SIM or a new device, so notification to the old device serves no purpose, I agree with you that there's really no reason they shouldn't at least notify the previous device that a SIM swap has been registered. Lebara certainly seems to a problem carrier in this regard for lack of care.

https://forums.moneysavingexpert.com/discussion/6532950/lebara-sim-swap-fraud/

https://forums.moneysavingexpert.com/discussion/6612264/sim-swap-fraud-growing-beware-nothing-changed-although-massive-increase-of-thefts-reported

hackedandangry

Exodi said:

hackedandangry said:

TadleyBaggie said:

Seems the root of the problem was likely weak security on your part regarding your email account.

My email was secure, 2fa set up.

How about them porting my number after I reported fraud? Is that weak on my part? And the lies I've been told that my SIM would work, that I'll get it back in 48 hours, by the end of the next day, is that weak on my part? Or the lack of notification it was happening, is that also my fault? With SIM card fraud up 1000%, do you not think there should be 2fa? Or at the least, a text to confirm it was going to happen? 

I appreciate you're rightly quite emotional but the email compromise was the root cause, it's not unreasonable to identify that.

You say you had 2FA set up on your email account - what was the second authentication method?

I'm not trying to catch you out here, but as they needed access to your email to perform the SIM swap, this suggests it couldn't have been your phone, which implies you either had an authenticator or a backup email that I'd be concerned have also been compromised. Either that or could you have been socially engineered to provide access? Or you didn't have 2FA set up, I guess.

Have you regained control of your email account (including changing security details to remove your old number)?

In reality, effectively no-one is 'hacked' in the sense that most people interpret it (as in a scammer is able to brute-force access to a secure account). Most 'hackings' occur where the victims details are leaked from a data breach from a third party website (and the victim uses the same details across multiple accounts without 2FA)  or where they are socially engineered to provide the security details (e.g. the scammers pretends to be from your bank).

While most SIM swaps are done because of a lost SIM or a new device, so notification to the old device serves no purpose, I agree with you that there's really no reason they shouldn't at least notify the previous device that a SIM swap has been registered. Lebara certainly seems to a problem carrier in this regard for lack of care.

https://forums.moneysavingexpert.com/discussion/6532950/lebara-sim-swap-fraud/

https://forums.moneysavingexpert.com/discussion/6612264/sim-swap-fraud-growing-beware-nothing-changed-although-massive-increase-of-thefts-reported

The 2FA on my email was password and biometrics and also linked to my phone number. 

There really is a massive lack of care from Lebara here. I called them earlier and they said they were waiting for EE for the PAC to come through. I rang EE to check as I don't believe a word they say now, and they were able to confirm there has been no port out request from Lebara, the only request they have was the port in.

I rang Lebara again and was told there's a technical issue which is why it hasn't been submitted, yet the supervisor had told me 30 minutes prior to this that not only had it been done, it's been escalated. So yet another lie. 

EE were very helpful and said if I can prove the number is mine by going into their store with something from Lebara showing my phone number, they could possibly help. 

However, Lebara point blank refused to send me anything to an email address other than the registered one. I've proved who I am by way of passing security questions and sending pictures of the back of my old SIM as well as the new SIM they posted to me, not good enough but I can understand that. I asked for it to be posted instead, they refused yet again as they don't use post. They also told me not to chase EE, they were doing it on my behalf. I can only assume they don't want me to chase EE as they hadn't done anything their end. 

Lebara have behaved appallingly here and I don't know what I am meant to do next. They repeat it will be done in 24 hrs yet without a request, it clearly won't be done. 

Exodi

hackedandangry said:

Exodi said:

The 2FA on my email was password and biometrics and also linked to my phone number. 

Then this right here was your problem as biometrics are not typically set up as 2FA.

2FA is where you are required to use 2 forms of authentication at the same time to log in to an account.

For example, I enter my password and I'd also be required to enter a code from my phone. Therefore to access the account I must know the password and have access to my phone.

Biometrics, at least in my experience, are used to replace the need to enter the password on your phone, however it is not typically used as a secondary authentication factor. If you tried to sign in to your email on your computer with your password, I expect it would not prompt you to also successfully validate your fingerprint on a registered device. The difference is password AND code from phone, instead of password OR biometrics.

This means that, despite having biometrics set up on your phone, a nefarious actor would have been able to access your email account with just your password. If your password is re-used on multiple websites, then this puts you at a high risk to being compromised, as this usually happens by a separate website suffering a data breach (which you signed up to), the login data is sold on the dark web, nefarious actors buy the data and then try to login with each set of details - they're praying that accounts don't have 2FA set up, which unfortunately it sounds like yours didn't.

It is fundamental the security on an email account is high, as this is often the key to gaining access to many other accounts as you're unfortunately realising.

As mentioned before, my first priority would be ensuring you gain access to your old account, log-off all other devices, change the password and properly secure the account with 2FA (authenticator app on your phone might be best (which effectively turns biometrics into true 2FA) since you're having troubles with your phone number).

hackedandangry said:

However, Lebara point blank refused to send me anything to an email address other than the registered one. I've proved who I am by way of passing security questions and sending pictures of the back of my old SIM as well as the new SIM they posted to me, not good enough but I can understand that. I asked for it to be posted instead, they refused yet again as they don't use post. They also told me not to chase EE, they were doing it on my behalf. I can only assume they don't want me to chase EE as they hadn't done anything their end. 

This would suggest your email account may still be compromised (or you don't have access to it).

I appreciate your anger is focused at Lebara at the moment, but you must appreciate, especially in the context of an account being reported as compromised, that it is sensible that they will only send details to the registered email?

What if you found out the scammers had contacted them, asking them to send your details to an email address not registered on the account and Lebara did? You'd (rightfully) hit the roof.

I truly sympathise with you, an email account compromise is massive and takes a gargantuan amount of effort to rectify, but to be balanced I also see in most threads of this nature that the posters tend to channel all of their anger at one particular company (e.g. you saying "Do not stick with this company, you'll lose your identity, your email, your banks") when in reality, as said at the start of the thread, 'the root of the problem was likely weak security on your part regarding your email account.'