A state of panic washed over Oren Vaknin in December of last year when he woke up one morning to discover $32,000 missing from his bank account.
He made a phone call to his bank, and they told him they had noticed some unusual activity on his account and assured him that the account had been suspended and no more money could be taken while they launched an investigation into what had happened.
The following day the same thing happened again.
Me Vaknin told news.com.au that “the following morning we were missing another $20,000, we were stressing out as hell, wondering what the hell is going.”
Over the course of 24 hours, bank transactions showed a total of $52,000 had disappeared from his bank account.
The investigation revealed a scammer had remotely gained access to his mobile phone by applying for an eSIM card and was then able to steal his phone number. This meant that all of his passwords, including the ones to access his banking had been reset and redirected to the hacker’s mobile phone.
Recalling the moment Mr Vaknin became aware of something being dreadfully wrong, he told news.com.au that at 2:59pm he received a text message from Optus claiming his contact details had been updated. This was alarming as he had made no such request.
An hour later he could no longer access his mobile service because it had been changed to SOS mode and no text messages or calls could be made or received. This was the moment the cybercriminal had successfully ported his phone number to their own device.
The only details the hacker needed in order to pull this crime off was Mr Vaknin’s mobile service number, address, and date of birth. With those details, they were able to get Optus to swap the SIM.
Mr Vaknin suspects a list with some of his personal information was intercepted and this was how the fraudster gained all the information they required. But there isn’t any way to know for certain.
The following few days were “hell” according to Mr Vaknin.
“Once they had my email and my phone number they could change everything,” he said.
Mr Vaknin, his wife, and his 18-year-old son had to work together to shut down all of Mr Vaknin’s accounts. He made a call to Optus to explain to them what had happened and they assured him that his phone number had been suspended but 20 minutes later the hackers had managed to reinstate the number. Mr Vaknin recalls this happened three times as he and the hacker fought to keep control of the mobile service number. They got hold of it a fourth time and migrated it onto a different provider.
“Luckily enough I managed to discover it was Telstra because I didn’t have any Wi-Fi. It was completely unrelated; they said you have a phone number with us.”
He also received emails from several other services informing him that his passwords had been changed.
If that all wasn’t bad enough, Mr Vaknin woke up the following day to realise that $32,000 was missing from an account linked to a significant loan he had taken out for his business, and despite having a conversation with the bank, he discovered a further $20,000 missing the day after that.
“The hackers managed to get $52,000 in two different days. Which is absolutely ridiculous,” he said.
He managed to get his account suspended after further conversations with the bank in which he called them “idiots” for allowing the theft to happen again.
Mr Vaknin’s bank made a statement to news.com.au in which they claimed to have kept track of the money the entire time and that the funds had been fully recovered, however, he has little faith and has kept the money locked down ever since the ordeal and is unable to access the account.
“Since they we’re scared to open the account,” he told news.com.au, “I’ve been suspended from this account since December last year and it’s a big loan.”
Mr Vaknin remains an Optus customer but insisted on a four-letter pin code before anybody can make changes to his account. He tested this out by going into an Optus store and asking to change some things on his account. The staff member asked him for his pin. He made up some random numbers.
“She got into my account in two seconds, willing to change whatever, without even checking,” he said, “we went through hell only for this to happen. It was absolutely a joke. They [Optus] gave me $100 in compensation which was really pathetic.”
Optus declined to comment on Mr Vaknin’s case, but they stated, “Optus, along with the wider telco industry, is working to enhance existing protocols and controls to prevent unauthorised access to customers’ accounts and services.”
The Australian Government’s response suggested that the Australian Communications and Media Authority (ACMA) announced that phone companies will need stronger customer identity checks for “high-risk transactions” like SIM swaps or account changes.
The new requirements will come into effect on 30th June and are called the Telecommunications Service Provider (Customer Identity Authentication) Determination 2022.
From June 30th, telcos must use multi-factor authentication of their customers’ identities such as confirming personal information and responding with a one-time code, similar to how banks operate. Currently, they mostly only require a customer’s name, phone number, date of birth, and address to authorise a change but under the new guidelines telcos who breach the rules can be punished by ACMA. This may include taking them to court.
Between January 1st and September 30th last year, there were at least 510 incidents of reported SIM swaps, resulting in 163 cases of financial loss. According to the ACMA, the average amount that a victim of SIM swapping loses to hackers is around $28,000. In 2021 the largest single reported loss was $463,782.