Optus, Telstra, Aldi Mobile SIM swaps: ACMA introduces new rules to stop phone hackers
An Australian doctor was about to go on vacation with her family for two weeks, but then she noticed an unusual transaction in her bank account.
Several months ago, Christine*’s worst fears came true when she received an alert from a meal delivery company saying she had spent $79 on coke, burgers, southern fried chicken tenders, buffalo wings and garlic bread.
The problem was that the NSW-based doctor never placed the order.
A few hours earlier, his phone had stopped receiving calls or texts and his signal had gone into “SOS only” mode.
It turned out she was SIM-swapped, where a scammer took remote control of her phone by impersonating her telecom provider and asking for an eSIM card.
This meant that the cybercriminal could then access all of their connections, including their bank, social media, email and even food delivery accounts, by sending a reset password and intercepting the text message.
Christine lost $200 after the hacker made a small wire transfer from her bank, but she’s certain that whatever information they managed to acquire about her was sold on the dark web.
“The whole hacking experience has made me feel very vulnerable and in danger, the whole structure of who I am has been taken away from me,” the medical professional told news.com.au.
It comes as the telecoms watchdog has cracked down on telecom providers for allowing SIM swapping scams to happen.
Currently, some phone companies like Optus only require the customer’s full name, date of birth, phone number and address before authorizing a SIM swap.
The Australian Communications and Media Authority (ACMA) announced new rules on Friday, warning that legal action will be taken against telecommunications organizations if they are not followed.
Broadcast your news live and on demand with Flash. From CNN International, Al Jazeera, Sky News, BBC World, CNBC and more. New to Flash? Try 1 month free. Offer ends October 31, 2022 >
Christine is unsure how the hackers obtained the amount of personal details needed to impersonate her, but she suspects an important letter was stolen from the post office.
She knew something was wrong when she started receiving messages from her telecom provider saying her contact details had been changed.
“I remember I was on the phone when I got those text messages,” she said. “I thought I would take care of it when I got home, which was a big mistake.”
The doctor is usually on call for medical emergencies, and luckily she was soon on leave, as no patient’s life was ever in danger during the hack.
But it took her two whole weeks to deal with the carnage caused by the pirates and so she couldn’t go on a family vacation.
Her friend called her phone number and spoke briefly to a woman on the other end of the line, before being passed on to a man, who hung up the phone. At the time, the friend was confused, but in hindsight he realized that they had spoken directly to the hackers.
Christine’s phone company also informed her that a woman had called posing as her asking for an eSIM card.
“I know they are real humans. These people who did this are not nice people,” she said.
In another disturbing twist, she added: “A number of SIM cards were delivered to my home.
“I guess they [the hackers] asked for additional SIM cards. They might have been outside my house, ready to pick it up.
She suspects the same for the food delivery order.
“I’m worried now, it’s going to worry me for the next five or 10 years. I’m scared, said Christine.
“It’s quite deep actually. We live in a world where you are your cell phone number, you are your health insurance number, it’s something really personal, it’s quite disturbing.
To make matters even more frustrating, Christine knows it would be easy to catch the pirates who made her life a misery.
“When I accessed my emails, I was able to see the IP address [they used],” she explained.
“On my telco phone bill, the location is available. We have the suburbs where it’s happening, their names, it should be possible to find these people.”
However, the police refused to take his victim impact statement and instead reported it to the Australian Cyber Security Center (ACSC), which has no special enforcement powers.
Christine isn’t the only medical professional whose life has been turned upside down by SIM swapping hackers.
Ally*, an NSW health worker, has been compromised since May last year after her SIM card was swapped for an eSIM by cybercriminals.
This was particularly a problem for her because as a medical professional she had to constantly access her vaccination certificate, when vaccination mandates came into effect following the delta outbreak of Covid-19.
“I’ve used numerous phones, two SIM cards and spent $880 on professional IT support to no avail,” Ally told news.com.au.
“My SIM cards were purchased through Telstra. I haven’t been refunded anyway since they said the problem was with the iPhone.
“I’ve been through two iPhones, sold them, and now I’m having similar issues with a Samsung phone.
“I placed a credit ban when I noticed my emails and alarm notifications were being intercepted.”
She even noticed that a small direct debit transaction of $20 had been sent to the Government of Canada.
“My phone keeps locking my account saying I gave the wrong passcode, I have to reset it very often and this has resulted in my apps, contacts, emails and photos being completely erased,” said she added.
“Managing my finances has become a challenge.”
On Friday, the ACMA announced that phone companies will need more stringent customer identity checks for “high-risk transactions” like SIM card swaps or account switches.
The new requirements, called Telecommunications Service Provider Determination (Customer Identity Authentication) 2022, will come into effect at the end of June.
Under the new guidelines, the ACMA can punish telecom operators who break the rules, including by prosecuting them.
According to the ACMA, an Australian victim of a SIM card swap will lose an average of $28,000 to hackers.
Earlier this year, news.com.au reported that a family in Sydney had lost $37,000 due to an elaborate SIM card swap hack.
And news.com.au knows of one person who lost $52,000 and another who racked up millions in credit card debt in his name.
“SIM swapping scams can cause a lot of harm, as scammers take control of your phone number and then use it to access your online banking accounts,” said Fiona Cameron, chair of the task force. on ACMA scams.
“These new rules require multi-factor authentication of your identity, such as confirming personal information and responding with a one-time code compatible with the operation of other essential services like banking.
“We hope these rules will go a long way to rooting out unauthorized transactions such as SIM card swapping fraud and improving protections for telecom customers.”
*Names withheld for confidentiality reasons
Do you have a similar story? Continue the conversation | [email protected] | @AlexTurnerCohen