custom-community-header-logo.text

swalk · ‎19-07-2024

I got a very clever scam call that exposes the lack of security in O2's 2FA verification text.

The guy said along the lines of 'Hi.. we've just noticed the plan your using is outdated because it's still from 2015', simple and believable - didn't ask for any bank information, just suggesting an upgrade.

Then he said 'Yeah I'll just text a code through to you and if you could confirm it'. He pulled this off very smoothly just as an official text from O2 with a easy to read security code comes through. Which is the SCAM.

The text reads 'O2: Your verification code is XXXX'

(The scam is, this is just him pressing 'Forgot Password' to trigger this official O2 text to me, once he has the 2FA code he will log into my account and order a bunch of phones).

Many people will fall victim especially how neatly it was pulled off, and how easy it is to read 4 digits before your eyes.

This scam can be practically eliminated if this 2FA text is reworded to:

'Attempted log-in, never give this code to anyone one the phone. However, if you are trying to log in:'

Or something more concise. That's my suggestion.

Many thanks

MI5 · ‎19-07-2024

@swalk

We're fully aware of this and the preceding text to the one with the code clearly states NOT to give the code to anyone.

I have no affiliation whatsoever with O2 or any subsidiary companies. Comments posted are entirely of my own opinion. This is not Customer Service so we are unable to help with account specific issues.
Please select the post that helped you best and mark as the solution. This helps other members in resolving their issues faster. Thank you.

Bambino · ‎19-07-2024

Nothing new under the sun, @swalk. I've lost count of the number of years we've been telling others to never agree to, or open any links, or enter any information from a cold caller, no matter who they say they are.

Block the number and report it free to 7726.

O2 advice here:

https://www.o2.co.uk/help/safety-and-security/phishing-and-smishing-advice
https://www.o2.co.uk/help/safety-and-security/unwanted-calls-and-messages
https://www.actionfraud.police.uk/

How to block a number:

https://www.samsung.com/us/support/answer/ANS00062352/

https://support.apple.com/en-us/HT201229

I DO NOT WORK FOR O2

madasaf1sh · ‎19-07-2024

@swalk

Its a social engineering attack, and they pick numbers at random and then call you, as soon as you answer they click on Forgot password, and hope the victim on the end of the phone thinks its a genuine call.

Quite easy to do really with publicly available information from the regulator.

o2 do send a precursor text,. that tells you not to give out the code, and if on the phone to someone who called you to hang up and call o2 to report it. (You always get both texts if not check you havent marked it as spam on your phone)..

What o2 should be doing is pushing customer to use Auth Apps, or RSA based tokens (at the customers expense they are expensive) or USB finger print readers to authenticate

--
iPhone 16 Pro Max - o2 and Spusu
Xperia 1V - Spusu

--
This is not customer services and we dont have access to your account
I do not work for o2 or any VMo2 /Telefonica/Liberty Global Company

swalk · ‎19-07-2024

Yes, as mentioned this is what happened. However there was no precursor text.

swalk · ‎19-07-2024

Ok great, however the majority of customers are not forum members. It's more efficient just to have a disclaimer in the text message itself.

swalk · ‎19-07-2024

Ok awesome, thanks

Bambino · ‎19-07-2024

@swalk You don't need to be a member of this forum to have a little common sense about scam calls and texts. There's a news story every day about people getting taken in by scammers. It happens to people all over the world, and there's only so much any network can do at the moment to protect their customers. Some of the responsibility has to come from the customers themselves.

I DO NOT WORK FOR O2

swalk · ‎20-07-2024

You've lost count of telling people - why not just have the text message tell people automatically?

This is within capability and it's a significant precaution which would reduce scams.

This scam relies on him telling you he's sending you a code to which you simply read.

Only trying to help.

MI5 · ‎20-07-2024

@swalk

The messages received are very clear about this if anyone cares to read them.

Not much else to be said.

I have no affiliation whatsoever with O2 or any subsidiary companies. Comments posted are entirely of my own opinion. This is not Customer Service so we are unable to help with account specific issues.
Please select the post that helped you best and mark as the solution. This helps other members in resolving their issues faster. Thank you.

custom-community-header-logo.text

Serious Security Risk & Solution