Brisbane man Ian Howland was sitting at his desk when he noticed an email from Telstra drop into his inbox.
To his surprise, the message from the telco said his mobile number was being ported out to a different carrier. “If transfer is not authorised, please call us immediately,” the email said.
It was 4:12pm on a Wednesday and he quickly called Telstra using his landline phone. As he waited on the line, he watched other emails start dropping into his inbox.
“While I was on the landline, I could see on my computer. I was getting other emails saying my PIN number for my Qantas membership had been changed, and my NAB (bank account) PIN number had been changed, and my ANZ PIN as well,” he told Yahoo News Australia.
It kept going. Moments after the Qantas alert, he received an email telling him that some JB Hi-Fi vouchers purchased using his Qantas points had been sent out.
It was quickly apparent he had become a victim of fraudulent phone porting, where criminals take advantage of the lax regulations around mobile porting to steal someone’s phone number and use it to ransack their personal accounts.
“I just thought, how ridiculous,” Mr Howland said. “How can somebody just go and take your phone number?
“Literally in front of me it happened. My phone went dead. All you could do was make SOS calls.”
At the time, Mr Howland had recently sold his home and business and as a result had a lot of money sitting in the bank, adding to the anxiety of the moment.
While his NAB accounts were frozen by the bank due to the unusual activity, ANZ told him he needed to come into a branch to properly identify himself. In the meantime, the thieves racked up $7,000 in charges that night on his ANZ credit card.
“You just feel so helpless,” he recalled.
Typically carriers like Telstra, Optus and Vodafone send a text message to confirm the number is being ported out in what amounts to a fleeting chance to halt the process before the number is gone. However Mr Howland said he never got such a message.
What shocks victims most in these cases is how little information is needed to secretly steal their mobile number. And given our reliance on two-factor authentication, thieves are often able to use it to change passwords on critical online accounts before doing serious damage.
Depending on the carrier, a SIM can often be ported out with just a name, mobile number and the date of birth of the owner – information that is often readily available on social media.
When a South Australia couple had their $8,500 wedding fund stolen last year when their Optus number was illegally ported out, the telco confirmed to Yahoo News Australia that a “mobile service number along with an account number or date of birth” is enough to port a number.
“All telecommunications providers are affected by fraudulent porting activity,” Optus said, pointing out it was operating in line with guidelines set by the Australian Communications and Media Authority (ACMA). Telstra effectively says the same.
Mr Howland went to the police and filed a report through the Australian Cybercrime Online Reporting Network (ACORN) without much hope of anything coming of it.
“The cop actually said to me, ‘you’re lucky. For some people, it destroys their whole life’,” he recalled.
Cases like his get lumped in with other forms of fraud and cybercrime so exact numbers of illegal porting are hard to come by. But Mr Howard said his cousin works for the federal police and told him “the depth of it is enormous.”
That echoes the experience of former police detective Dr Terry Goldsworthy who now works at Queensland’s Bond University and has researched illegal phone porting.
“When I was looking at it, the offences were increasing rapidly,” he told Yahoo News Australia last year.
When speaking to those in law enforcement, they would tell him they are seeing a growing number of porting-related scams.
New industry standards for phone porting
Mr Howland’s ordeal happened in September 2018 but despite mounting cases, telcos have dragged their heels with making any wholesale changes to their systems, instead opting to put the onus on the customer to ask for extra protection on their account in the form of a PIN.
However that’s finally in the process of changing.
In late 2019 at the direction of the cyber security minister, the ACMA announced a broad crackdown on common phone scams, including creating a stricter industry standard required for mobile phone porting.
The move has been welcomed by consumer groups, including the Australian Communications Consumer Action Network (ACCAN), who say it’s been a long time in the making.
“This is an issue that we have been highlighting to the telco industry for quite some time now, it’s positive to see that action is finally being taken to safeguard consumers,” ACCAN CEO Teresa Corbin said at the time.
The changes to the guidelines are being overseen by the ACMA’s Fiona Cameron who declined to be interviewed for this story.
The trial period is still ongoing, with a view for the changes to be introduced by all telcos by the end of April, meaning carriers will be required to carry out extra identity checks before accepting the port of a mobile number.
To date, while some telcos have already introduced stronger preventative measures it has been “patchy” across the industry and the new standard will be enforceable, Ms Corbin said.
“In the past there hasn’t been all that much regulation around mobile porting,” she told Yahoo News Australia.
That has made it easier for consumers “but really what has happened now is the scammers have taken advantage of that efficiency. That is why we need additional steps now,” she said.
“It’s been a problem for a while but I think the scale and size has grown significantly, more recently.”
Ms Corbin said an industry standard requiring more stringent ID checks will slow the process down but offer far greater security to customers, but still cautioned consumers against sharing too much personal information about themselves online.
Do you have a story tip? Email: firstname.lastname@example.org.