cancel
Showing results for 
Search instead for 
Did you mean: 

My O2 account was hacked!

Anonymous
Not applicable
A couple of weeks ago I received an odd text from O2 informing me that I can upgrade my handset in September 2013. Now, I have a sim-only contract and haven't had a new handset from O2 in a number of years but I knew my contract was due to expire some time in late September so I checked my O2 account online. It seems that I now have a new tariff of £36 a month, which I knew nothing about and checking on down the page I spotted a completed order which turned out to be for an iPhone 4. Naturally I hadn't placed this. The Yodel tracking number revealed that it had been delivered to an address that wasn't mine the previous day.
I called O2 and discovered that my security question had been changed along with my home address and e-mail address. Someone had clearly managed to access my O2 account online and ordered himself a phone at my expense. Since the user name and password are known only to me, either O2's site security is extremely poor or someone inside O2 has accessed my information. Either way, I'm not impressed.
The customer service adviser was very helpful and promised that the fraud department would investigate and call me. However, eight days later I have heard no word from them and in the meantime I can do nothing about changing my contract while there is an issue with my account. I was planning to get a new phone, possibly the new iPhone when it comes out, but now I'm very concerned about O2's security. I've been with them for over ten years but I'm seriously considering whether I want to continue with them now.
The only piece of good news is that the phone was delivered one day and blacklisted the next.
Has anyone else had this happen? If so, how did O2 handle it?
Message 1 of 343
35,319 Views
342 REPLIES 342

Anonymous
Not applicable

@Anonymous wrote:

A modification to Direct Debit (such as the amount to be paid) does not need authorisation from the account owner.

 

In the case of 'Soobster' - I suspect that the fraudulent activity was that they had signed up for a new contract and (as is pretty standard across all carriers) the O2 rep asked "do you want me to setup this new account using the old bank details?" - Given this question usually comes after passing account security, it's a perfectly reasonable question IMO. If yes, the existing Direct Debit is edited, and the bank doesn't require authorisation from the account holder for this type of edit.

 

Only in this case, the account was being setup by a fraudster, so the assumption of permission to change banking details isn't valid.

 

Somewhat concerning though that every case I've read about (specific to O2, but not specific to this thread) has been a customer who's contract is up for renewal. This points to a pretty significant "data leak" somewhere, in my opinion. O2 are surely aware of it from their own Fraud team (you'd hope), but very little seems to (publicly) be getting done about it.


The fraudulent DD is an additional one which has been added, I'll hopefully know more on how tomorrow. Your explanation does seem reasonable, if I thought o2 were remotely interested I'd pass the information on to help with their ongoing investigations.

 

Message 341 of 343
1,464 Views

Anonymous
Not applicable

"Permission" for a Direct Debit is a vague concept at best. All O2 have to do (legally), is "Obtain your authority" to setup a Direct Debit Mandate - often this is in the form of a verbal agreement. Many, many other companies also do this.

 

So from the bank's perspective, O2 (or their representatives) will have said "we have permission to setup a Direct Debit using these details" and the bank's automated systems will have obliged.

 

The entire Direct Debit system is, in terms of security, laughably weak. The security comes solely from the fact that only nominated gateways are allowed to submit requests. Once the request is in the system, there's no validation of the request at all.

 

O2 should have guidelines in place to prevent employees willfully creating new direct debits at will, but I'd wager that it really is just a button marked "the customer agreed to this during our phone conversation" - relying on the fact that the phonecall is probably (read: hopefully) recorded.

 

Sadly, setting up the new Direct Debit is technically the fault of the bank, but the entire system is built the way it is, and it isn't going to be changed any time soon. Besides, the bank were just acting on authority given to them by O2 - so they'll happily argue that they're not responsible whatsoever.

 

And people wonder what led to the economic situation. slight_smile

Message 342 of 343
1,455 Views

Anonymous
Not applicable