A reader lost control of his devices – and, in some respects, his life – after an apparent breach of the security systems put in place by his phone provider, with the hack leaving the company mystified and prompting it to alert An Garda Síochána and the Data Protection Commissioner.
Our reader has asked not to be identified – as he fears some dodgy characters know quite enough about him – so, for the purposes of this piece, we will call him Mitch.
Mitch contacted us last week to say he had recently been “the victim of what is know as a SIM-swap fraud”.
He describes it as a “harrowing experience” and asked us to share it with readers “to raise awareness of this potentially very serious form of identity theft in the hope that it may protect others”.
Scammers bypass Vodafone identity verification and take over phone using eSim
Una says her phone was hacked, €3,500 is missing, yet the bank won’t pay out
Foul Eir, fresh Eir: two customers relate sharply contrasting experiences with the company
How can an airline gift that cost €1,000 be worth just €370?
So, what happened?
“The brief version of this story is that on January 15th a bad actor phoned Vodafone, my mobile carrier, claiming to be me. They were able to bypass Vodafone’s identity verification questions – What is your name? What is your address? What is your date of birth? They were assumed then to be me,” he writes.
“Once they had gained the confidence of the Vodafone customer support agent they were able to change my phone plan (to a more expensive one – probably to gain confidence), the email address associated with my account and, most importantly, they were able to convert my account to an eSIM (as opposed to my actual physical SIM).
[ The future for mobile phones is here, and Ireland needs to get on boardOpens in new window ]
“With the eSIM they were able to control my account – receive and send SMS and receive and make phone calls [from another phone]. They then proceeded to change the passwords for my email accounts (by clicking ‘forgotten password’ and using twin factor authentication to confirm that it was ‘their’ account). They also took control of my Dropbox and a cryptocurrency wallet I have.”
By the time Mitch realised this was happening early on the morning of January 16th “there was nothing I could do to stop it”.
The criminals, he subsequently found out, “sent an email to [his bank], which they could ascertain from previous email correspondence, instructing it to transfer €11,000″ from his account to a [another] account. He says he has access to a dedicated “private banking” set-up which facilitates such transfers.
When Mitch went to a Vodafone shop and explained what was happening, he was informed that “someone had changed my account, including the activation of an eSIM, over the phone the previous evening.
“They gave me a new SIM card and I was able to take back control of my phone and of all of my other accounts again, thankfully. As soon as I was back in control of the phone I received a call from [the bank] asking me to confirm the large bank transfer. I declined and I then cancelled everything, informed the banks and called the gardaí.”
Mitch says the “banks have put notes on my accounts and there is little the gardaí can do, I have been told. I am still waiting to receive a call from the Vodafone security division about this fraud. I was told this morning that an email has been sent and this can take a week. Vodafone’s security policy with regard to my account is unchanged – meaning I could potentially go through all of this again tonight or tomorrow or anyone else could.”
He says he was told by Vodafone that all that is required over the phone to confirm a client’s identity “is confirmation of their name, address and date of birth”.
“In this day and age I find this hard to comprehend,” he says. “Of note, Vodafone have a four-digit PIN associated with my account which nobody would know except for me but knowing this number is not a requirement for the ID verification process. They did not ask the fraudster for it, I have been told. Nor do they rely on security questions. I really don’t understand this either.”
[ ‘My blood is boiling’: Vodafone’s contact methods irk readersOpens in new window ]
Mitch says banks need to introduce an additional layer of security, and notes that if his bank had “phoned to confirm the transfer of funds half an hour earlier it would have been the fraudster and not me answering the phone”.
He is – understandably – a little freaked out by all this and has “no confidence that this scam will not happen to me again this evening or to another Vodafone customer. I think awareness needs to be raised and Vodafone’s policies around ID verification and their attitude towards data protection needs to change.”
We contacted Vodafone and days later a detailed explanation was sent to Mitch, which he forwarded to us.
He was told that when it comes to enabling a physical SIM or e-SIM swap request, the company “already have additional measures in place which mean this action cannot be completed without enhanced validation. This consists of standard validation – name, address, DOB etc – and an additional measure to include an OTP [one-time password] code being sent to a number on the account.
“Given this individual had gained access to your My Vodafone dashboard he had already taken an action to add a second number to your account which effectively enabled him overcome the enhanced OTP stage of validation when he reached us on the second occasion.”
Vodafone told Mitch that the “manner in which the individual gained access to your My Vodafone dashboard which ultimately allowed him add the second number to your account is being assessed internally with concerted efforts to prevent fraudulent individuals successfully completing same going forward”.
He was told that “an action to complete a My Vodafone account password reset is typically completed by the customer themselves and also includes an OTP code sent from the platform, typically without requirement to call a care agent for support. This individual however did call our care teams and had been successful in manipulating our agent into believing there were issues receiving these OTP codes. This resulted in the agent supporting with this task manually. Again, efforts are in place to ensure this does not happen again.”
Vodafone also provided us with a statement.
“We take the security of our customers’ data very seriously and have robust validation measures in place, which we continue to enhance to mitigate against the potential likelihood a fraudulent individual could gain access and manipulate the account of any of our customers,” it began.
“In line with industry standard validation measures all customers who reach our care teams are required to validate details such as their name, address, DOB and email before their account can be accessed and discussed. We also have additional validation measures in place, namely OTP or ‘One Time Password’ sent to customers who wish to complete a request which we deem as high risk.
“Regarding this specific incident, due to the sophisticated nature of fraudulent activity that occurred, an individual was successful in passing all existing validation measures we have in place. Concerted efforts are being taken to fully review the manner in which this was action was completed, to include updating our care agents’ knowledge and awareness – in addition to internal process changes, again to mitigate the likelihood of future attempts of this nature being successful.”
The statement added that Vodafone was “working closely with our impacted customer in tandem to the above activity to fully restore his account to reflect the services and information prior to this incident taking place. Vodafone have also reported this data breach to the Data Protection Commission (DPC) and An Garda Síochána. We apologise for the inconvenience caused and are committed to ensuring the security of our customers’ accounts. We continue to encourage all customers to remain vigilant against sophisticated scammers and to take measures to protect their personal information.”
