O2 account hacked and phone number stolen

[mattyg]

Phew an eventful last hour or so


I got an email from Experian today saying my email address & password has been sold online, I logged in and it said low risk you dont need to do anything
A few hours later
I get a text from O2 saying my sim swap is now complete

Strange I didn't order a sim swap.. Then a few seconds later my sim disconnected and wasn't registered on O2 network... Then a few mins later £1800 paypal payment to Ikea



I'm fumin with O2. We've had fraud on our account before. Someone ordered some Iphones. We didn't know until an extra £100 started going out the bank. Can't believe someone managed to convince O2 of a sim swap with no notification to us beforehand. We changed the O2 password after the phones were ordered.


I've got my number back now but I'm on emergency call 24/7. If that had happened in the middle of the night I dread to think of the consequences


Is likely to be another o2 breach or do we think its my end.

 

[mattyg]

I would be moving my number to another provider. How did you find out about the IKEA payment?

Email luckily

As a business user who is on emergency call 24/7 I'm fumin that someone could just take over my phone number.

 

[mattyg]

Your o2 password unique?

Yeah I'm a lastpass user so I dont even type them in 2fa set up on lastpass too.

 

[mattyg]

Someone got your O2 password, but not your Email password?

Just the o2 password by the looks of it. I can't see any access to my email accounts

Inside job?

This is what I'm starting to think.

We still haven't had a resolution to the 2 iPhones that were added to our account 6 months ago.... Tomorrow they'll get one more chance before I hit Ofcom

 

[mattyg]

I'm confused on the paypal part, how did they buy stuff from Ikea on your paypal with just your o2 account password and number ?

Me too, there is more to this than meets the eye.

The conclusion I'm coming up with is they've done a sim swap so my phone went offline.. Then theyve requested a password reset or access via the paypal registered phone number

I got a sim will be disconnected text at 17:44
Then got a paypal email saying youve change your password at 18:04 and the Ikea paypal email at 3 mins later

 

[mattyg]

Paypal have rejected the claim. Ive sent another with more detail and I'll contact ikea at 7am

 

[mattyg]

PayPal

Any further news?

I got up at 6.30am to call IKEA and see if I could put a stop on the order.. They cancelled it straight away... Then whilst on the phone Paypal emailed and said they had looked into it on the 2nd attempt and refunded me..

O2 however have been useless. I called their business support team and managed to get put through to the same person that dealt with the initial fraud a few months back.. Told her I need a call back from the fraud team asap
Still nothing..
If I dont hear this week I'll be taking our business elsewhere. I'll also be recommending to one of our accounts to put a piece in the company newsletter regarding Sim swap fraud and lack of giving a **** from o2

over 3500 employees will get that newsletter

 

[mattyg]

Just FYI Paypal does... you can choose to use google authenticator etc and remove the option for SMS message.

I've looked for this and cant find it..

I use google Auth for account access but for password recovery one of the options is a code to be text to the registered number

 

[mattyg]

Settings - Security - 2factor and remove any backups.

^^ what he said

I have 2fa already switched on But it seems to only be for logging into my paypal account direct...... Have you tried to make a purchase and see if it needs the 2fa App before proceeding. And can you check to see if SMS password reset is still there


I've just tried it again and if you click the having trouble logging in. Recieve an SMS is still there as an option

 

[mattyg]

Yes, requires 2FA from authenticator app before a purchase (assuming you haven’t trusted this device of course) and no option to use any other means.

However you just made me try to hack myself out of interest. Despite removing the phone as a backup option I can still reset password using text message... so far so stupid. Having reset the password successfully by text, I am then presented with a 2FA code requirement before logging in with my new password... so the system works. Nope, if I now click trouble logging in I can be texted a code and log straight into the account with my new password bypassing authenticator 2FA.

Dumb as bricks.

I've sent Paypal feedback of the situation and info on sim swap fraud.
It'll probably not get anywhere though.

I've now removed my main number and have added a number by a different provider.

Crazy having the security that can be bypassed so easily. Granted a number of things have to fail first but Sim swap fraud is massive in america so wont be long before it comes here in a big way

 

[mattyg]

How does this work? Surely if doing it over the phone, the new SIM gets sent to the address on the account? I.e. your address.

No you can use any o2 (the same provider as your currently using) sim. So you get a pay as you go sim. Initiate the sim swap and your number gets transferred to the new sim. You can buy them pretty much anywhere these days.
You just input the new sim's "serial" number into the system...


It has its uses.

Say you sim card went faulty. You can grab another ism form tesco and be back up and running in a few mins. But its that ease of use which makes it insecure