cancel
Showing results for 
Search instead for 
Did you mean: 

Serious Security Risk & Solution

swalk
Level 1: Joiner
  • 6 Posts
  • 1 Topics
  • 0 Solutions
Registered:

I got a very clever scam call that exposes the lack of security in O2's 2FA verification text.

 

The guy said along the lines of 'Hi.. we've just noticed the plan your using is outdated because it's still from 2015', simple and believable - didn't ask for any bank information, just suggesting an upgrade.

 

Then he said 'Yeah I'll just text a code through to you and if you could confirm it'. He pulled this off very smoothly just as an official text from O2 with a easy to read security code comes through. Which is the SCAM.

 

The text reads 'O2: Your verification code is XXXX'

 

(The scam is, this is just him pressing 'Forgot Password' to trigger this official O2 text to me, once he has the 2FA code he will log into my account and order a bunch of phones).

 

Many people will fall victim especially how neatly it was pulled off, and how easy it is to read 4 digits before your eyes.

 

This scam can be practically eliminated if this 2FA text is reworded to:

 'Attempted log-in, never give this code to anyone one the phone. However, if you are trying to log in:'

 

Or something more concise. That's my suggestion.

 

Many thanks

Message 1 of 13
1,395 Views
12 REPLIES 12

swalk
Level 1: Joiner
  • 6 Posts
  • 1 Topics
  • 0 Solutions
Registered:

Yes, the messages in your screenshot are just perfect.

 

However this is not what I received:

 

scam.png

 

Most non-tech people will understand the above as O2 sending them a code (in this case relevant to the phone call), rather than someone trying force entry into their account (which is a lot more clear in your screenshot).

Message 11 of 13
279 Views

gmarkj
Level 66: Unequalled
  • 12880 Posts
  • 95 Topics
  • 1172 Solutions
Registered:

Bit worrying if you didn't get the first message.

Think this is one that needs more investigating @Kei-M_O2 

Please note, this is not customer services and we cannot access your account. Do not publish personal details (email, phone number, bank account).


Link to our guide on how to contact them can be found here

Message 12 of 13
253 Views

Kei-M_O2
Community Manager
Community Manager
  • 103 Posts
  • 5 Topics
  • 0 Solutions
Registered:

Thanks @gmarkj - let me pass it onto the team to see why the normal text wouldn't be sent.

Message 13 of 13
234 Views