Welcome to the O2 Community

Has your question already been answered? See the community FAQ's

Discussions and Feedback

Reply
Highlighted
Level 1: Joiner
Posts: 7
Registered: ‎16-07-2019

Re: Sim Hijacking

Thanks for your interesting replies.

 

I am of course wary of turning this posting into a sim-swappers' handbook, but I would really like assurance that this kind of fraud is no longer possible now that 2-factor authentication via sms will be so prevalent. 

 

Let's say a (real or fake) O2 contract customer loses their sim, so phones up O2 "I've forgottten my password and memorable answers - sorry, I was in a bad road accident last year and it affected my memory....blag blag blag etc".  Would the operator not ask the customer to go to an O2 shop with photo ID? I think we should be told. 

 

O2 should issue worried customers, who opt-in to the scheme, a sim-swap pin without which a swap is not possible no matter what ID comes through the O2 shop door (so better keep it safe!). It's a simple low-cost idea and would stop the problem would it not?

 

 

Highlighted
Level 11: Motivator
Posts: 578
Registered: ‎27-05-2019

Re: Sim Hijacking

[ Edited ]

Companies are relying way too much on mobile phone based authentication, whether it be SMS or authenticator type apps.

 

The banks I use issue a card reader on one and a pin pad on the other, the bank that issues the pad asked me did I want to use the version in their app and I said no thanks, send me a device please or I'll move.

 

It's cheap for them and supposedly convenient for the customer but just shifts the liability.

 

Also have to use this type of authentication for some stuff at work which I'm not particularly happy about but had a discussion with someone at work who bought into the whole app based bank nonsense, until their phone went missing that is.

 

It's a fine balance between convenience and security but when dealing with finances I'd prefer security but that's just me.

Current tech used:
Samsung A40 on giffgaff, Core i7 9700F PC with Win 10 Pro. Apple Mac Mini late 2014 with Core i5 running 10.15
Home Internet Connection: Zen Internet Fibre To The Premises Full Fibre 2 76 Mbps Down/18 Mbps up (upgraded for homeworking),
I don't work for O2 but have an interest in networks (including mobile) and IT (which is how I earn my living)
Highlighted
Level 1: Joiner
Posts: 7
Registered: ‎16-07-2019

Re: Sim Hijacking

Techtamer I very much agree with you.

 

I have a pin-pad for one of my bank accounts and I doubt anyone could blag a replacement one from my bank whose security is better than a mobile network's, but I suspect that my bank will stop issuing pin-pads in favour of their (currently optional) app and if you don't have the app I guess you can't login on your phone unless you carry the pin-pad with you so I guess the app might win one day.

 

To be clear though, you would not get app access to a bank account by blagging a sim swap in an O2 shop; you would need further passwords to log in to the app no doubt. 

 

I am really talking about 2-factor authentication (2FA) by sms in these posts and one of my banks is only offering this method for 2FA. They did however assure me that it would be "quite safe as they would only send an sms if a login attempt was made from an unrecognised computer".

 

Where else do they think a thief would be logging in from?

 

Mobile phone compaines are now faced with doing, effectively, the banks' security checks for customers who use sms-based 2FA and they are not very good at it - sorry but most people working in mobile phone shops are young and perhaps less sceptical of possibly fraudulent approaches than those of us who have more experience of life. 

 

Look what happened when the BBC actually tested mobile phone companies' security procedures:

 

https://www.bbc.co.uk/news/business-46047714

 

Crikey.....

 

 

Highlighted
Former Staff
Posts: 5,426
Registered: ‎18-04-2018

Re: Sim Hijacking

@Jules63 I'm very sorry to hear about what happened to your friend confused I'll check what I can find out on my end on this matter and will post more info here as and when I have any!

 

Cheers everyone for the advice, very useful and interesting @Bambino @MI5 @PhoneChanger @techtamer Smiley Happy

Access for You: Registration - Find out how to register for our Access for You service.
Want to chat with other fellow-minded members? Head to our Off-topic section for some interesting chit-chat.
Check out our Priority board for tickets & offers updates, and to discuss all things Priority-related!
Welcome to O2! - New to O2? Find out all you need to know to get started!


If you'd like to take part, why not register? Smiley Happy
signature

Highlighted
Level 11: Motivator
Posts: 578
Registered: ‎27-05-2019

Re: Sim Hijacking

Doesn't look like there's any protection for PAYG users though considering there's no requirement to register an address.

 

 

Current tech used:
Samsung A40 on giffgaff, Core i7 9700F PC with Win 10 Pro. Apple Mac Mini late 2014 with Core i5 running 10.15
Home Internet Connection: Zen Internet Fibre To The Premises Full Fibre 2 76 Mbps Down/18 Mbps up (upgraded for homeworking),
I don't work for O2 but have an interest in networks (including mobile) and IT (which is how I earn my living)
Highlighted
Former Staff
Posts: 5,426
Registered: ‎18-04-2018

Re: Sim Hijacking

Hi everyone, 

 

I've just had a look on our end and found out some more info that I hope you'll find useful Smiley Happy

 

For security reasons we can’t reveal the precise measures, checks and processes we have in place to tackle fraud on our network, but we can confirm that O2 takes customers security very seriously and have processes to protect our customers from any fraudulent activity. We can assure you we have strict controls in place to prevent any fraudulent activity around SIM management/changes in our stores, call centres and online. However, should customers have any concern around any changes to their account or mobile phone, they should contact customer service immediately.

Access for You: Registration - Find out how to register for our Access for You service.
Want to chat with other fellow-minded members? Head to our Off-topic section for some interesting chit-chat.
Check out our Priority board for tickets & offers updates, and to discuss all things Priority-related!
Welcome to O2! - New to O2? Find out all you need to know to get started!


If you'd like to take part, why not register? Smiley Happy
signature

Highlighted
Level 1: Joiner
Posts: 7
Registered: ‎16-07-2019

Re: Sim Hijacking

Much as I appreciate the answer from EmilieT, I find myself unreassured by an assertion that strict anti-hijacking measures are in place but O2 can't say what they are. The BBC don't think they work too well; talking about security checks in the article I mentioned, the BBC says of their attempts to sim-swap at O2 shops...

 

...that did not happen with any of the numbers being used by the Watchdog Live team, who were able to walk out with a replacement Sim in almost every case.

 

As far as I can see, no measures are currently being undertaken which will counter someone walking in to an O2 shop with a fake photo ID, which O2 told me on the phone would indeed trump all other security requirements or questions.  

 

It would be naive to think that thieves can't simply google for a fake UK driving licence, they are sadly easy to obtain. 

 

I invite O2 to set up a further optional layer of security, possibly a PIN, known only to O2 and the customer, without which a sim swap will never be authorised. It is a low-cost option and I'll definitely sign up for it. This would stop the fake-ID approach dead, or does anyone else have an idea how to stop this fraud?

 

 

Highlighted
Level 11: Motivator
Posts: 578
Registered: ‎27-05-2019

Re: Sim Hijacking

@Jules63 

 

There would have to be a contingency for a forgotten PIN and therein lies the flaw.

 

If you can frustrate the scum doing this they'll stop bothering but the customer will have to take a bit of pain too.

 

Here's how it should work.

 

All accounts (PAYG and Contract) need to have a registered address and the people need to appear on the electoral role, if the user is a minor, this needs to be a parent or guardian, no verification, no service, if the person is homeless they need to obtain some sort of documentation from the Council or a charity such as Shelter vouching for them, the store need to verify this with the issuing authority, seeing it and taking it as valid is not enough now.

 

Any SIM swaps should not be done in store, apply for one but the SIM should be posted to the registered address but there should be a delay of 7 days before this happens, in the meantime a message should be sent to the phone, if the customer replies the process stops and is voided, if no response is received, process continues and SIM is despatched unless they can produce verifiable documentation as mentioned above.

 

I know this sounds a bit draconian but the criminals seem to be running rings around those of us that aren't.

 

Current tech used:
Samsung A40 on giffgaff, Core i7 9700F PC with Win 10 Pro. Apple Mac Mini late 2014 with Core i5 running 10.15
Home Internet Connection: Zen Internet Fibre To The Premises Full Fibre 2 76 Mbps Down/18 Mbps up (upgraded for homeworking),
I don't work for O2 but have an interest in networks (including mobile) and IT (which is how I earn my living)
Highlighted
Posts: 1,034
Topics: 8
Kudos: 154
Registered: ‎13-07-2008

Re: Sim Hijacking

The banks should be refunding in situations like this under a code of practice that most major banks have agreed to

 

https://www.moneysavingexpert.com/news/2019/05/more-protection-for-money-transfer-scam-victims-from-...

 

I'd imagine EE customers may fall victim to this as you can get a sim swap in store on EE if you have photo ID. I have heard of one or two instances of this happening to people on EE

 

Like @techtamer I'm not keen on the banks relying on OTPs as authentication which is only going to get worse in September when most banks will start using them to verify card transactions online. My main line is currently on EE and I have a technical issue at the moment where OTPs are not coming immediately through to me but will instead come through in batches hours if not days after they are generated meaning they are currently useless to me as by the time I get them they have expired. Hopefully EE fix this soon otherwise I'm going to have to change my phone number with banks to a number on another network (and may need a OTP to do this which will be a ballache)

 

A few of my banks are switching towards using their mobile apps as authentication which I prefer to SMS

Highlighted
Level 1: Joiner
Posts: 7
Registered: ‎16-07-2019

Re: Sim Hijacking

Techtamer, thanks for some very interesting ideas.

 

It would cause a lot of bad feeling if say a business-owner who has a broken sim has to do without a replacement for 7 days. That would be expensive for them, and a delay in sending the sim would merely increase the chance of a fraud being detected whereas I want it stopped.

 

I do take your point about using the Council and Shelter as references but Councils have been notoriously bad at being defrauded by bogus claimants, so their checks aren't up to much, and I fear Shelter don't ask too many questions of people who approach them, these can be people with next to no ID who can say they are whoever they like.

 

Biometrics may eventually be the only way forward to prove ID.

 

Perhaps provide your network with a fingerprint in store when you buy a phone, or afterwards, to enhance any existing security; the technology exists in many handsets today so it is a simple thing to do. That would certainly stop a sim thief, or have O2 keep a photo of you, if you wish that. Again, the biometric account-lock would be an optional addition to an account, but a recommended one.

I think we're agreed the current system is a bit of a farce and needs revising because this fraud is going on today.................and nobody is paying attention.

 

Banks have rather naughtily forced this situation on the mobile networks and us by using our phones for bank-account-access passcode delivery. Eventually, passcodes via SMS should be stopped, as that is linked to the sim, a duplicable item, whereas an authenticator app like Authy is a handset thing.

I am also concerned that mobile networks may be acting in breach of data-protection regulations in that they may facilitate access to a customer's personal banking accounts through a known-to-be lax system of identity checks and in this matter they may in future have some legal liability for any losses, perhaps vicariously with banks themselves who are using sms knowing it to be insecure. Tesco Bank actually say in their own terms and conditions that sms is not secure, page 4: "As text and email are not secure channels, we’ll only include generic information".

 

I'm sure many people will google for and find these postings in future - I just hope they haven't lost a lot of money.