Identify theft via mobile phone

From the daily mail:

http://www.dailymail.co.uk/news/article-4126766/Thieves-hack-woman-s-phone-steal-identity.html#comments

It seems that thieves somehow got hold of this woman's phone number, phone company, name and presumably email address. From that they rang up or did the online chat with the service provider - optus - and were able to close down her sim card and transfer her number to their own sim card.

Then they got into her email by using the recovery sms function, from which they got bank account information. Got into her facebook account in the same way and got her date of birth.They could then hack into her internet bank and steal money.

So much security information in Australia goes through your phone, internet banking, centrelink, medicare. Also it is that easy to change your sim card and keep the same number. I did it in a shop with vodafone going from a micro-sim to a nano-sim, but I did need to show id.

So basically, from that article it seems that all that was needed was this woman's name, phone number and telephone operator to hack into her phone. The fact that she enabled the sms password recovery option on her email and facebook meant that they could get into her bank account and find out enough identifying details. Is there anything else that she did that may have allowed this to happen? I find this really scary and do not have my phone number linked to my email or facebook. On the other hand it is a daily mail article and could have left out god knows how many important details.

I saw something about this kind of ID theft on a consumer affairs programme recently, here in the UK. Cant remember which programme but it was not done by the Daily Mail! They explained the sequence of events which unfortunately I cant remember now, because I use pay as you go and don't have a contract with anyone. The scam I heard described depended on getting past the contract provider, but I cant remember exactly how, I think it involved persuading them to change the contact details. Whatever, the scam unrolled in much the way you described and ended with the victim losing money from their bank account. I find this sort of thing very worrying too, and try to have different passwords for everything, to avoid using guessable security questions (eg mother's maiden name) and NEVER give my correct date of birth on a trivial website that has no business asking for it in the first place. Facebook is the last place I would put my date of birth - mainly because its not necessary so why take the chance? I'd be interested to know what other simple security steps I could take if anyone knows any?

I'd be interested to know what other simple security steps I could take if anyone knows any?

 

Useful information here:

https://www.staysmartonline.gov.au/mobile-devices

They had a security guy on one of those consumer shows a few months back. He said the best thing we can do is to get strong passwords and change them regularly. Interestingly, he also said to ignore the old advice about not writing them down - which is one of the reason we don't change them often enough - after all, as he put it, the sort of people who break into your house are generally not the same ones who hack into your accounts.

I keep my passwords written on the inside of a book cover.

Regarding the internet banking, in other countries you are given a security box/calculator thingy that generates passwords. Of course losing it is a pain in the arse, but this type of remote sim card/phone number theft can't be used to get into your bank account. I only moved to Australia last year and since then I have noticed that I have my whole life in my email account. All the id in my inbox together with my mobile number easily could result in id theft or fraud. I was actually thinking of getting my bank statements sent to my email because of the environment and saving paper, but after reading that I will not be doing that. Actually my email password was hacked about 4 years ago, luckily when my email only contained gossip and not the likes of my visa, etc., etc.

With this stuff, it is almost a case of being grateful that it has happened to someone else so that the rest of us can learn a lesson from it.

What I have taken from this is:

- do not give email or facebook your phone number

- do not get bank statements emailed to you

- hope that you have a phone provider that insists on id before transferring phone number between sim cards (vodafone did for me, but maybe I just got someone who was doing their job properly)

- don't use obvious answers to security questions

- have different passwords and change them regularly (such a pain)

I'd love to know other ways of keeping personal stuff safe online too. An IT guy at work suggested using a password encrypted website to store all passwords, but I am stupidly scared that either that would get hacked or I'd forget the password for that and never be able to access anything every again.