O2 account hacked and phone number stolen

Soldato
Joined
6 Mar 2007
Posts
9,736
Location
Surrey
It's really easy to trick mobile phone networks into doing sim swaps, which is why you should not use text messaging for your MFA on accounts. Only use authenticator apps .
 
Soldato
Joined
29 Apr 2004
Posts
4,881
Location
Bath
Just FYI Paypal does... you can choose to use google authenticator etc and remove the option for SMS message.

If you use a password manager like 1Password it will notify you when a site enables 2FA via access codes rather than SMS. I've moved all of my logins over but it sucks that banks still send access codes via SMS.
 
Soldato
OP
Joined
17 Jun 2007
Posts
9,273
PayPal :mad:

Any further news?

I got up at 6.30am to call IKEA and see if I could put a stop on the order.. They cancelled it straight away... Then whilst on the phone Paypal emailed and said they had looked into it on the 2nd attempt and refunded me..

O2 however have been useless. I called their business support team and managed to get put through to the same person that dealt with the initial fraud a few months back.. Told her I need a call back from the fraud team asap
Still nothing..
If I dont hear this week I'll be taking our business elsewhere. I'll also be recommending to one of our accounts to put a piece in the company newsletter regarding Sim swap fraud and lack of giving a **** from o2

over 3500 employees will get that newsletter
 
Soldato
OP
Joined
17 Jun 2007
Posts
9,273
Just FYI Paypal does... you can choose to use google authenticator etc and remove the option for SMS message.

I've looked for this and cant find it..

I use google Auth for account access but for password recovery one of the options is a code to be text to the registered number
 
Soldato
Joined
25 Nov 2004
Posts
3,792
I've looked for this and cant find it..

I use google Auth for account access but for password recovery one of the options is a code to be text to the registered number

Settings - Security - 2factor and remove any backups.

image.png
 
Soldato
OP
Joined
17 Jun 2007
Posts
9,273
Settings - Security - 2factor and remove any backups.

image.png

^^ what he said :D

I have 2fa already switched on But it seems to only be for logging into my paypal account direct...... Have you tried to make a purchase and see if it needs the 2fa App before proceeding. And can you check to see if SMS password reset is still there


I've just tried it again and if you click the having trouble logging in. Recieve an SMS is still there as an option
 
Last edited:
Soldato
Joined
21 Jan 2016
Posts
2,913
Have you tried to make a purchase and see if it needs the 2fa App before proceeding. And can you check to see if SMS password reset is still there

Yes, requires 2FA from authenticator app before a purchase (assuming you haven’t trusted this device of course) and no option to use any other means.

However you just made me try to hack myself out of interest. Despite removing the phone as a backup option I can still reset password using text message... so far so stupid. Having reset the password successfully by text, I am then presented with a 2FA code requirement before logging in with my new password... so the system works. Nope, if I now click trouble logging in I can be texted a code and log straight into the account with my new password bypassing authenticator 2FA.

Dumb as bricks.
 
Soldato
OP
Joined
17 Jun 2007
Posts
9,273
Yes, requires 2FA from authenticator app before a purchase (assuming you haven’t trusted this device of course) and no option to use any other means.

However you just made me try to hack myself out of interest. Despite removing the phone as a backup option I can still reset password using text message... so far so stupid. Having reset the password successfully by text, I am then presented with a 2FA code requirement before logging in with my new password... so the system works. Nope, if I now click trouble logging in I can be texted a code and log straight into the account with my new password bypassing authenticator 2FA.

Dumb as bricks.

I've sent Paypal feedback of the situation and info on sim swap fraud.
It'll probably not get anywhere though.

I've now removed my main number and have added a number by a different provider.

Crazy having the security that can be bypassed so easily. Granted a number of things have to fail first but Sim swap fraud is massive in america so wont be long before it comes here in a big way
 
Soldato
Joined
30 Sep 2008
Posts
6,769
Sim Swap fraud was a massive thing when I worked in telecomms retail 12+ years ago. We used to see it all the time back then, was pretty easy to shut down in store as we'd just demand a proof of ID before we'd do a sim swap, its a lot more challenging over the phone as if they know if your security details then the agent is ****ed.
 
Soldato
OP
Joined
17 Jun 2007
Posts
9,273
How does this work? Surely if doing it over the phone, the new SIM gets sent to the address on the account? I.e. your address.

No you can use any o2 (the same provider as your currently using) sim. So you get a pay as you go sim. Initiate the sim swap and your number gets transferred to the new sim. You can buy them pretty much anywhere these days.
You just input the new sim's "serial" number into the system...


It has its uses.

Say you sim card went faulty. You can grab another ism form tesco and be back up and running in a few mins. But its that ease of use which makes it insecure
 
Soldato
Joined
1 Apr 2014
Posts
18,532
Location
Aberdeen
No you can use any o2 sim. So you get a pay as you go sim. Initiate the sim swap and your number gets transferred to the new sim. You can buy them pretty much anywhere these days.
You just input the new sim's "serial" number into the system...

That's very insecure.
 
Soldato
Joined
10 Mar 2012
Posts
3,554
Location
unstated.assortment.union
Sim Swap fraud was a massive thing when I worked in telecomms retail 12+ years ago. We used to see it all the time back then, was pretty easy to shut down in store as we'd just demand a proof of ID before we'd do a sim swap, its a lot more challenging over the phone as if they know if your security details then the agent is ****ed.

My wife was a manager in a call centre a while back for a major network. The main source of failure they had with regards to account security were undeniably via overseas call centres that the company employed. She remembers one report that stated that in 200 test calls 86% of agents neglected to complete correct authentication procedures. Several agents gave account details to callers that the account holder should know (address, DOB etc).

Further investigations also found that a certain 3rd party call centre company, based in a country known for telecommunications scams, was SELLING customer data.

How does this work? Surely if doing it over the phone, the new SIM gets sent to the address on the account? I.e. your address.

You can easily obtain a SIM from anywhere. Easiest option is to pick one up for a quid or so at a local low cost supermarket and then call and give the serial to have it activated. Many operators don't even required you to call, you can activate a SIM via online portals.
 
Soldato
Joined
1 Apr 2014
Posts
18,532
Location
Aberdeen
You can easily obtain a SIM from anywhere. Easiest option is to pick one up for a quid or so at a local low cost supermarket and then call and give the serial to have it activated. Many operators don't even required you to call, you can activate a SIM via online portals.

I see, but as a security measure, shouldn't they send a new SIM or a code by post to the registered address?
 
Back
Top Bottom