O2 account hacked and phone number stolen
- Thread starter mattyg
- Start date
Soldato
Get onto the police via 101.
Soldato
Very possibly.
If you use a password manager like 1Password it will notify you when a site enables 2FA via access codes rather than SMS. I've moved all of my logins over but it sucks that banks still send access codes via SMS.
PayPal
Any further news?
I got up at 6.30am to call IKEA and see if I could put a stop on the order.. They cancelled it straight away... Then whilst on the phone Paypal emailed and said they had looked into it on the 2nd attempt and refunded me..
O2 however have been useless. I called their business support team and managed to get put through to the same person that dealt with the initial fraud a few months back.. Told her I need a call back from the fraud team asap
Still nothing..
If I dont hear this week I'll be taking our business elsewhere. I'll also be recommending to one of our accounts to put a piece in the company newsletter regarding Sim swap fraud and lack of giving a **** from o2
over 3500 employees will get that newsletter
I've looked for this and cant find it..
I use google Auth for account access but for password recovery one of the options is a code to be text to the registered number
Settings - Security - 2factor and remove any backups.
^^ what he said
I have 2fa already switched on But it seems to only be for logging into my paypal account direct...... Have you tried to make a purchase and see if it needs the 2fa App before proceeding. And can you check to see if SMS password reset is still there
I've just tried it again and if you click the having trouble logging in. Recieve an SMS is still there as an option
Last edited:
Yes, requires 2FA from authenticator app before a purchase (assuming you haven’t trusted this device of course) and no option to use any other means.
However you just made me try to hack myself out of interest. Despite removing the phone as a backup option I can still reset password using text message... so far so stupid. Having reset the password successfully by text, I am then presented with a 2FA code requirement before logging in with my new password... so the system works. Nope, if I now click trouble logging in I can be texted a code and log straight into the account with my new password bypassing authenticator 2FA.
Dumb as bricks.
I've sent Paypal feedback of the situation and info on sim swap fraud.
It'll probably not get anywhere though.
I've now removed my main number and have added a number by a different provider.
Crazy having the security that can be bypassed so easily. Granted a number of things have to fail first but Sim swap fraud is massive in america so wont be long before it comes here in a big way
Soldato
What do you need to swap my o2 sim?
Sim Swap fraud was a massive thing when I worked in telecomms retail 12+ years ago. We used to see it all the time back then, was pretty easy to shut down in store as we'd just demand a proof of ID before we'd do a sim swap, its a lot more challenging over the phone as if they know if your security details then the agent is ****ed.
No you can use any o2 (the same provider as your currently using) sim. So you get a pay as you go sim. Initiate the sim swap and your number gets transferred to the new sim. You can buy them pretty much anywhere these days.
You just input the new sim's "serial" number into the system...
It has its uses.
Say you sim card went faulty. You can grab another ism form tesco and be back up and running in a few mins. But its that ease of use which makes it insecure
That's very insecure.
Soldato
My wife was a manager in a call centre a while back for a major network. The main source of failure they had with regards to account security were undeniably via overseas call centres that the company employed. She remembers one report that stated that in 200 test calls 86% of agents neglected to complete correct authentication procedures. Several agents gave account details to callers that the account holder should know (address, DOB etc).
Further investigations also found that a certain 3rd party call centre company, based in a country known for telecommunications scams, was SELLING customer data.
You can easily obtain a SIM from anywhere. Easiest option is to pick one up for a quid or so at a local low cost supermarket and then call and give the serial to have it activated. Many operators don't even required you to call, you can activate a SIM via online portals.
I see, but as a security measure, shouldn't they send a new SIM or a code by post to the registered address?