cancel
Showing results for 
Search instead for 
Did you mean: 

My O2 account was hacked!

Anonymous
Not applicable
A couple of weeks ago I received an odd text from O2 informing me that I can upgrade my handset in September 2013. Now, I have a sim-only contract and haven't had a new handset from O2 in a number of years but I knew my contract was due to expire some time in late September so I checked my O2 account online. It seems that I now have a new tariff of £36 a month, which I knew nothing about and checking on down the page I spotted a completed order which turned out to be for an iPhone 4. Naturally I hadn't placed this. The Yodel tracking number revealed that it had been delivered to an address that wasn't mine the previous day.
I called O2 and discovered that my security question had been changed along with my home address and e-mail address. Someone had clearly managed to access my O2 account online and ordered himself a phone at my expense. Since the user name and password are known only to me, either O2's site security is extremely poor or someone inside O2 has accessed my information. Either way, I'm not impressed.
The customer service adviser was very helpful and promised that the fraud department would investigate and call me. However, eight days later I have heard no word from them and in the meantime I can do nothing about changing my contract while there is an issue with my account. I was planning to get a new phone, possibly the new iPhone when it comes out, but now I'm very concerned about O2's security. I've been with them for over ten years but I'm seriously considering whether I want to continue with them now.
The only piece of good news is that the phone was delivered one day and blacklisted the next.
Has anyone else had this happen? If so, how did O2 handle it?
Message 1 of 343
35,307 Views
342 REPLIES 342

Anonymous
Not applicable
O2 are actually making their security process stricter for customers calling in.
Within the next few weeks, you'll be asked for characters of your password, instead of the whole thing, similar to when you call the bank eg;
Your password is: Canada75
You're asked for characters 2, 3 and 6
You'd give the agent a, n and a which they will input and if correct will allow them to access your account.
Message 21 of 343
3,737 Views

Anonymous
Not applicable
I know it's not policy, unfortunately though it is happening, even in cases where external access to details has been virtually impossible.
I hope it's as rare as you believe it to be.


It's all relative perksie, even if it was 0.5% of the customer base it would affect 120,000 customers, I only hope it's much less than that.
Message 22 of 343
3,737 Views

perksie
Level 69: Guiding Light
  • 27019 Posts
  • 247 Topics
  • 1614 Solutions
Registered:
Well it's good to hear they're tightening up and taking these events seriously.
The last time I phoned in on the 3rd November I was asked if I had a password, replied "Yes" and was then put straight through to deal with my account issue with nothing else asked for, no security question, nothing, other than my name and phone number.
It's only relative when it happens to someone else! :mansurprised:
To support Disasters Emergency Committee: http://www.dec.org.uk/appeals text Nepal to 70000 to send £5

Sky Unlimited Broadband - Windows 10 - Nexus 4 Android 5.1.1
Message 23 of 343
3,737 Views

Anonymous
Not applicable
O2 are actually making their security process stricter for customers calling in.
Within the next few weeks, you'll be asked for characters of your password, instead of the whole thing, similar to when you call the bank eg;
Your password is: Canada75
You're asked for characters 2, 3 and 6
You'd give the agent a, n and a which they will input and if correct will allow them to access your account.

That is really welcome news. I trust that this means the call-taker won't know the full password then? My bank does that and I feel very safe with it. Hopefully you get 3 attempts and then you're forwarded to fraud for verification.
Ironically I had actually set up a similar system back in July this year. I contacted fraud and we established a new password, again, and it was agreed that I would only be asked random letters from it. A call to 02 yesterday revealed that my word have yet again been changed and the letter idea removed.
Reinforcing previous posts as well, yesterday's encounter actually had the agent spoon-feed me the answer by telling me the question. This is despite my account notes being littered with fraud-team entries.
So I welcome any tightening of security 02 can put together; currently their system seems way too easy to get passed.
Unfortunately it won't get my personal data back but hopefully others will be spared my experience.


Message 24 of 343
3,737 Views

Anonymous
Not applicable
O2 are actually making their security process stricter for customers calling in.
Within the next few weeks, you'll be asked for characters of your password, instead of the whole thing, similar to when you call the bank eg;
Your password is: Canada75
You're asked for characters 2, 3 and 6
You'd give the agent a, n and a which they will input and if correct will allow them to access your account.

That is really welcome news. I trust that this means the call-taker won't know the full password then? My bank does that and I feel very safe with it. Hopefully you get 3 attempts and then you're forwarded to fraud for verification.

Nope, most likely they will still see the password, it's just what they ask for that changes. When it is a number style security system then it's usual that the operator can't see the numbers and have to enter what the customer says and see if it's correct. But, a word style system usually just shows the operator the password and they choose two characters to ask for.
It's highly unlikely that they are changing the computer security programme they have, more likely just changing the wording of the security scripting.
Message 25 of 343
3,737 Views

Anonymous
Not applicable
It isnt policy to allow this kind of access though. O2 has a rigid data protection policy.
O2 most definately do not have a 'rigid data protection policy' and no changes are being made any time soon. I know this as I have discussed my case with someone high up in Matthew Key's department, he is the CEO, ####
Instead of o2 spending money setting up a Fraud Department perhaps the money would have been better spent on installing new security systems to avoid the number of people having new phones fraudulently ordered against their account. My account was used fraudulently by telephone so nothing to do with any security measures that I use at home.
It is disgraceful that large companies like this feel they can get away with this disgraceful lack of care over personal information and I want to try and get a group together to sue o2 for breach of the Data Protection Act and may try to set something up through Facebook to do this. There are very large fines for breach of this act and maybe o2 will then take notice that they MUST do something immediately - something that would be oh so simple to do yet they still haven't acted.
I don't want to change from o2 as my reason for going to them was they have call centres in the UK and before this incident I was very happy with the service I had received but, on principle, I have to change provider.
I don't believe this hacking is anything to do with upgrade dates as I am on their Simplicity plan which does not give you an upgrade date.
With regard to the addresses the phones are ordered for it turns out the people at the address may be comletely innocent as the fraudsters pick an address and then hang around watching for a delivery driver, when they turn up they rush up to them and ask them if they are making a delivery to that house and make an excuse as to why they are not inside, sign for and take the phone. The delivery guys should be made to actually call at the house to deliver the phone not pass it to someone who blaggs it in the street!! I also know someone who was on the other end of this scam - they were the one at the address that the phone was delivered to! They returned the phone to o2 but guess what - they sent it out again!
So all in all - o2 DO NOT have strict policies in place and if the frauds were the result of 'lazy operatives' if they had a lock out system in place the 'lazy operatives' could not be at fault. But until they install such systems this will continue. As I've said before - if the credit card companies can do it WHY can't o2.
Message 26 of 343
3,737 Views

sheepdog
Level 26: Upbeat
  • 3363 Posts
  • 31 Topics
  • 39 Solutions
Registered:
I can assure you that the credit companies do not have failsafe fraud systems. I personally have been the victim of card fraud and my banks response was to increase my limit which in turn added to the amount of fraud...
But you are missing the point - it doesn't matter what kind of systems you have in place (someone will moan) its the culture and attitude ingrained by re-enforced training that will have more benefits than implementing a new IT system.
Though I have to point out a big flaw in most peoples arguments here: you're using social networking sites like Facebook which requires you to enter sensitive details. Online security of these sites are notoriously bad and its not hard to extrapolote sufficient info to exploit just by browsing through let alone hack accounts.
What most people don't realise is that these sites are based abroad, your data is not protected in the same way. It may be in the T&C's of the site but there's no point in moaning at companies if the end user is willing to give away their info to someone else.
Message 27 of 343
3,737 Views

Anonymous
Not applicable
Sheepdog - actually I DON'T use Facebook! I suggested it as a method of contacting other people in the same position as myself.
It is you who is 'missing the point' - my account was hacked over the telephone and not internetand am I not 'willing' to give my information to anyone else.
Also whilst you may have had a bad credit card experienc, I had a very good one with M&S who locked my account out immediately there was a transaction outside my usual spending pattern.
I have also discussed my case at length with o2 and know suggestions to improve security are being discussed but unfortunately not actioned so I do know their systems could and should be improved to lessen the likely hood of this happening.
Message 28 of 343
3,737 Views

sheepdog
Level 26: Upbeat
  • 3363 Posts
  • 31 Topics
  • 39 Solutions
Registered:
Actually I haven't missed the point at all. As I have to work with sensitive data I, and my work collegues, are subjected to strict conditions and yet I still come across incidents where breaches occur inadvertently. Even with training and regular reminders plus good IT systems it still happens. Its still going to come down to vigilence of the employee and the customer to minise that risk.
Message 29 of 343
3,737 Views

Anonymous
Not applicable

O2 most definately do not have a 'rigid data protection policy' and no changes are being made any time soon.

You're actually 100% wrong on both counts here, completely incorrect.
You have also completely ignored my previous post regarding the new DPA process being launched in the very near future which is based on 'bank' style security, proof that you're post regarding 'no changes being made anytime soon' is incorrect...did you even read the whole thread before posting or just start bashing out your reply?
Message 30 of 343
3,737 Views