Phone-number theft nightmare to sort
When fraudsters strike, telcos frustratingly slow in coming to rescue and putting halt to plunder, ex-MP says
Contrasting the telco statements last week about tightened-up security procedures for number porting with how barrister Matt Robson, former Alliance Member of Parliament and Cabinet minister, lost his number and had to fight to get it back, point to current rules badly needing changing.
There’s no warning when porting fraudsters strike. Robson noticed on the afternoon of September 24 that his phone had no network coverage for no apparent reason.
His phone did not reconnect to the network and the following morning Robson visited the Vodafone Queen St store to be told by a representative that his number had been ported to Skinny.
The person who had requested the number transfer to Skinny was allegedly Matt Robson himself.
An astounded Robson said he never authorised the transfer of his phone number, which he’d had for more than two decades.
Unfortunately for Robson, this is where his efforts to get the number returned got bogged down and gave the fraudsters time to rip him off.
“Vodafone’s front-line staff didn’t seem to know what to do, even though I offered to prove my identity with a passport,” Robson said.
The Vodafone representative in the Queen St store refused to call Skinny about the porting, because that’s against the current rules.
Without a working mobile, Robson used another phone at his office to call Skinny’s 0800 number.
While on hold, Kiwibank rang Robson’s office number to tell him that his accounts had been frozen.
Someone posing as Robson had used his number and the bank’s Smart Phone facility to transfer money into two other Kiwibank accounts.
“They took $20,000 but as they tried to empty all my accounts at the same time, Kiwibank noticed it quickly and froze them,” Robson said.
The same fraudster also used Robson’s phone number to reset his Microsoft account password. After the password change, the fraudster obtained confidential client information and had access to sensitive data on his computer, Robson said.
Despite advising Skinny that he’d been defrauded, he said the telco refused to block the number.
Robson sent a complaint letter to Skinny, and noted that the Spark-owned telco “had clearly not asked for any standard Know Your Client (KYC) identification (passport, utility bills, etc) from the person who impersonated me.”
He returned to the Vodafone Queen St store and managed to get a reluctant representative there to call Skinny to block the phone number and to return it to Vodafone, which was again unsuccessful. Vodafone told Robson to report the porting fraud to the police. What the police did beyond acknowledging the report isn’t known to Robson who has not received any updates.
After Vodafone’s fraud investigators became involved, Robson got his phone number back. However, the agonising process took several days of going back and forth. On top of the financial loss and privacy breach, Robson had to seek paid help from an infosec professional to secure his communications. Whose responsibility is it to verify porting requests? In this case, it was Vodafone’s job, Spark spokesperson Elle Dorset explained. “The current law determines the process and it’s up to the LSP (losing service provider) to verify and approve the port,” Dorset said. Vodafone, however, is not permitted to contact customers directly because it could be seen as an attempt to win back their business. Dorset said that prepay mobile providers in NZ were not legislated to capture any KYC identification beyond what was necessary for the port to be submitted.
Those details are the phone number, current provider plus the SIM and account numbers, but beyond that prepay connections are anonymous in New Zealand.
Skinny did not block the number because that would have prevented it from being ported back to Vodafone, Dorset said.
“We have not provided financial compensation to customers affected by this type of fraud,” she said.
Instead, she said it was for banks to reimburse people who had funds fraudulently withdrawn from their accounts, provided they were satisfied the customers were not complicit in the fraud.
Vodafone spokesperson Nicky Preston explained that social engineering by the fraudsters helped the porting attack to succeed.
“This customer, Matt, was subject to a phishing attack and the fraudster managed to get around Vodafone’s security questions by supplying Matt’s personal information that had been gained via another means,” Preston said.
“We’re not sure how the fraudster obtained Matt’s personal information in this instance, but in other cases we have seen birth dates pulled from social-media sites or account details taken from stolen postal mail,” she said.
“We’ve been working closely with the telco industry body, the Telecommunications Forum (TCF), to put additional measures in place to make porting fraud more difficult in New Zealand. Other countries have put similar measures in place, for example Australia implemented a ‘Pre-port Verification Process’ in mid2018,” Preston said.
Robson’s experience shows that the additional measures can’t come too soon. For now, be wary of posting identifiable details on social media and watch out for letters from providers being intercepted.
As they tried to empty all my accounts at the same time, Kiwibank noticed it.
Matt Robson