O2 account hacked and phone number stolen

[mattyg]

Phew an eventful last hour or so


I got an email from Experian today saying my email address & password has been sold online, I logged in and it said low risk you dont need to do anything
A few hours later
I get a text from O2 saying my sim swap is now complete

Strange I didn't order a sim swap.. Then a few seconds later my sim disconnected and wasn't registered on O2 network... Then a few mins later £1800 paypal payment to Ikea



I'm fumin with O2. We've had fraud on our account before. Someone ordered some Iphones. We didn't know until an extra £100 started going out the bank. Can't believe someone managed to convince O2 of a sim swap with no notification to us beforehand. We changed the O2 password after the phones were ordered.


I've got my number back now but I'm on emergency call 24/7. If that had happened in the middle of the night I dread to think of the consequences


Is likely to be another o2 breach or do we think its my end.

 

[Rannoch]

I would be moving my number to another provider. How did you find out about the IKEA payment?

 

[Nasher]

Mobile phone providers are ******* useless. None of them seem to do their admin correctly and all have useless support when you have an issue.

Never sign a contract or hand payment details to them tbh, because they won't be safe.

 

[Rannoch]

Mobile phone providers are ******* useless. None of them seem to do their admin correctly and all have useless support when you have an issue.

So true, I dread any changes I make when I have to call then. Thankfully it’s been a long time.

 

[muon]

Your o2 password unique?

 

[mattyg]

I would be moving my number to another provider. How did you find out about the IKEA payment?

Email luckily

As a business user who is on emergency call 24/7 I'm fumin that someone could just take over my phone number.

 

[mattyg]

Your o2 password unique?

Yeah I'm a lastpass user so I dont even type them in 2fa set up on lastpass too.

 

[Rannoch]

Inside job?

 

[platinum87]

Someone got your O2 password, but not your Email password?

 

[mattyg]

Someone got your O2 password, but not your Email password?

Just the o2 password by the looks of it. I can't see any access to my email accounts

Inside job?

This is what I'm starting to think.

We still haven't had a resolution to the 2 iPhones that were added to our account 6 months ago.... Tomorrow they'll get one more chance before I hit Ofcom

 

[Minusorange]

I'm confused on the paypal part, how did they buy stuff from Ikea on your paypal with just your o2 account password and number ?

 

[Feek]

I'm confused on the paypal part

Me too, there is more to this than meets the eye.

 

[mattyg]

I'm confused on the paypal part, how did they buy stuff from Ikea on your paypal with just your o2 account password and number ?

Me too, there is more to this than meets the eye.

The conclusion I'm coming up with is they've done a sim swap so my phone went offline.. Then theyve requested a password reset or access via the paypal registered phone number

I got a sim will be disconnected text at 17:44
Then got a paypal email saying youve change your password at 18:04 and the Ikea paypal email at 3 mins later

 

[muon]

I'm confused on the paypal part, how did they buy stuff from Ikea on your paypal with just your o2 account password and number ?

The email address likely matches. So they just did a password reset using the mobile number for 2fa.

 

[DanTheMan]

Sim swap fraud happens far too frequently unfortunately. I don't know enough about the security process of mobile networks but they seem surprisingly easy to manipulate.

Once they have access to your number, they can reset usernames / passwords for anything that you have text / app verification set up on.

When I worked on the phones at RBS / Natwest, it amazed me the volume of sim swap fraud calls that I would take. I saw people lose tens of thousands to it.

 

[PapaLazaru]

Think about it, the problem is not with the Telco's, but the banks and Companies like PayPal. They have essentially transferred their main security process onto the Telco's without them wanting any part of it.

They need to work out another way to verify it is their customer that does not involve someone else.

 

[Zeeflyboy]

I tend to remove phone number as a 2FA option wherever possible for stuff that actually matters... often if you don’t actively remove it even when you set proper 2FA as your preference the mobile remains as a back up option which completely defeats the point of using authenticator etc as your preference.

Obviously you need to be that much more careful that you don’t get locked out of your account and make sure you safely store back up codes, but I’d rather my 2FA security was in my hands than rely on the strength (or more likely weakness) of my phone provider’s security.

 

[muon]

Think about it, the problem is not with the Telco's, but the banks and Companies like PayPal. They have essentially transferred their main security process onto the Telco's without them wanting any part of it.

They need to work out another way to verify it is their customer that does not involve someone else.

They should use something like Google Authenticator instead. That will be physically with the person and can't just be transferred. If the phone is lost then it will likely have a lock and even if it is unlocked you can't easily link the token to an account.

 

[Zeeflyboy]

They should use something like Google Authenticator instead. That will be physically with the person and can't just be transferred. If the phone is lost then it will likely have a lock and even if it is unlocked you can't easily link the token to an account.

Just FYI Paypal does... you can choose to use google authenticator etc and remove the option for SMS message.

The problem is everything is a compromise. While tech literate people won't generally have a problem, the average unwashed will lock themselves out of their accounts regularly using google authenticator. SMS based authentication is at least arguably better than no 2FA at all and considerably less difficult for the typical user to use on an ongoing basis, potentially across multiple devices over the years. Not only does an attacker have to have your password and email/username but they also have to be able to tie it to your phone number and sufficient personal information to fool the telco company into doing a sim swap or sufficient technical nouce to intercept etc.

 

[Efour]

Disturbing the crap you can get away with these days....