cancel
Showing results for 
Search instead for 
Did you mean: 

Serious Security Risk & Solution

swalk
Level 1: Joiner
  • 6 Posts
  • 1 Topics
  • 0 Solutions
Registered:

I got a very clever scam call that exposes the lack of security in O2's 2FA verification text.

 

The guy said along the lines of 'Hi.. we've just noticed the plan your using is outdated because it's still from 2015', simple and believable - didn't ask for any bank information, just suggesting an upgrade.

 

Then he said 'Yeah I'll just text a code through to you and if you could confirm it'. He pulled this off very smoothly just as an official text from O2 with a easy to read security code comes through. Which is the SCAM.

 

The text reads 'O2: Your verification code is XXXX'

 

(The scam is, this is just him pressing 'Forgot Password' to trigger this official O2 text to me, once he has the 2FA code he will log into my account and order a bunch of phones).

 

Many people will fall victim especially how neatly it was pulled off, and how easy it is to read 4 digits before your eyes.

 

This scam can be practically eliminated if this 2FA text is reworded to:

 'Attempted log-in, never give this code to anyone one the phone. However, if you are trying to log in:'

 

Or something more concise. That's my suggestion.

 

Many thanks

Message 1 of 13
1,241 Views
12 REPLIES 12

MI5
Level 94: Supreme
  • 150869 Posts
  • 645 Topics
  • 28745 Solutions
Registered:

@swalk 

We're fully aware of this and the preceding text to the one with the code clearly states NOT to give the code to anyone.

I have no affiliation whatsoever with O2 or any subsidiary companies. Comments posted are entirely of my own opinion. This is not Customer Service so we are unable to help with account specific issues.
Please select the post that helped you best and mark as the solution. This helps other members in resolving their issues faster. Thank you.
Message 2 of 13
992 Views

Bambino
Level 86: Prestigious
  • 24271 Posts
  • 1055 Topics
  • 3813 Solutions
Registered:

Nothing new under the sun, @swalk. I've lost count of the number of years we've been telling others to never agree to, or open any links, or enter any information from a cold caller, no matter who they say they are.

Block the number and report it free to 7726.

O2 advice here:

https://www.o2.co.uk/help/safety-and-security/phishing-and-smishing-advice
https://www.o2.co.uk/help/safety-and-security/unwanted-calls-and-messages
https://www.actionfraud.police.uk/

How to block a number:

https://www.samsung.com/us/support/answer/ANS00062352/

https://support.apple.com/en-us/HT201229

I DO NOT WORK FOR O2



Funniest-Thread-2
Message 3 of 13
978 Views

madasaf1sh
Level 78: King of Kings
  • 11899 Posts
  • 66 Topics
  • 3211 Solutions
Registered:

@swalk 

 


Its a social engineering attack, and they pick numbers at random and then call you, as soon as you answer they click on Forgot password, and hope the victim on the end of the phone thinks its a genuine call. 

 

Quite easy to do really with publicly available information from the regulator.


o2 do send a precursor text,. that tells you not to give out the code, and if on the phone to someone who called you to hang up and call o2 to report it.  (You always get both texts if not check you havent marked it as spam on your phone)..

 

What o2 should be doing is pushing customer to use Auth Apps, or RSA based tokens (at the customers expense  they are expensive) or USB finger print readers to authenticate 

--
iPhone 16 Pro Max - o2 and Spusu
Xperia 1V - Spusu

--
This is not customer services and we dont have access to your account
I do not work for o2 or any VMo2 /Telefonica/Liberty Global Company
Message 4 of 13
978 Views

swalk
  • 6 Posts
  • 1 Topics
  • 0 Solutions
Registered:

Yes, as mentioned this is what happened. However there was no precursor text.

Message 5 of 13
927 Views

swalk
Level 1: Joiner
  • 6 Posts
  • 1 Topics
  • 0 Solutions
Registered:

Ok great, however the majority of customers are not forum members. It's more efficient just to have a disclaimer in the text message itself.

Message 6 of 13
926 Views

swalk
Level 1: Joiner
  • 6 Posts
  • 1 Topics
  • 0 Solutions
Registered:

Ok awesome, thanks :slight_smile:

Message 7 of 13
926 Views

Bambino
Level 86: Prestigious
  • 24271 Posts
  • 1055 Topics
  • 3813 Solutions
Registered:

@swalk You don't need to be a member of this forum to have a little common sense about scam calls and texts. There's a news story every day about people getting taken in by scammers. It happens to people all over the world, and there's only so much any network can do at the moment to protect their customers. Some of the responsibility has to come from the customers themselves.

I DO NOT WORK FOR O2



Funniest-Thread-2
Message 8 of 13
874 Views

swalk
Level 1: Joiner
  • 6 Posts
  • 1 Topics
  • 0 Solutions
Registered:

You've lost count of telling people - why not just have the text message tell people automatically?

 

This is within capability and it's a significant precaution which would reduce scams.

 

This scam relies on him telling you he's sending you a code to which you simply read.

 

Only trying to help.

Message 9 of 13
818 Views

MI5
Level 94: Supreme
  • 150869 Posts
  • 645 Topics
  • 28745 Solutions
Registered:

@swalk 

The messages received are very clear about this if anyone cares to read them.

Not much else to be said.

Image 20-07-2024 at 11.02.jpeg

 

I have no affiliation whatsoever with O2 or any subsidiary companies. Comments posted are entirely of my own opinion. This is not Customer Service so we are unable to help with account specific issues.
Please select the post that helped you best and mark as the solution. This helps other members in resolving their issues faster. Thank you.
Message 10 of 13
796 Views