If your bank has your mobile number to help it “manage” your current account, you may want to have a rethink. John Ellard, managing director of a small internet service provider, has had his Nationwide current account emptied of £6,000 after fraudsters apparently took over his O2 mobile account, switched his number to a new Apple handset, and then used it to make a series of fraudulent purchases.
While Ellard was wondering why his mobile wasn’t working at his Hertford home last month, fraudsters were calling O2 pretending to be him to report it stolen. Simultaneously, the crooks had managed to obtain his bank account details to gain access to his Nationwide account, and were able to register him for telephone banking and increase his overdraft to £5,000.
In a bold move, they were then able to link his stolen phone number to a newly created Apple Pay account and use it clear out his bank account in a matter of hours by going on a spending spree at various Apple stores.
The case will alarm anyone who has registered their mobile with their bank and relies on it to receive security information.
Ellard, who says he has spent the past few days in financial and emotional turmoil trying to deal with the fallout, appears to be the latest victim of fraudsters targeting vulnerabilities in the mobile phone system.
Guardian Money has already reported on so-called “sim swap frauds”, which see fraudsters taking over people’s bank accounts via their mobile phone. The fraudsters call the phone provider and, as long as they can answer basic security questions – which can be things as simple as your name, address and date of birth – are able to cancel the old sim and gain a new one. From then on they can intercept or initiate calls and texts as if they were the victim.
The first Ellard knew of this was when he got a letter from Nationwide telling him his overdraft had been increased. Ellard, who regards himself as technically savvy, says he has been astounded that both O2 and Nationwide’s anti-fraud systems were so easily evaded. He also says other bank customers should seriously consider whether they want their bank to use the mobile network to check their identity, given the flaws. He won’t be doing so in the future, he says.
Ellard believes the theft of his bank details may be linked to the fact he had just moved house and had ordered a carpet. He had paid using his bank card, and store staff had his address, card details and mobile number.
“The fraudsters simply rang O2 and reported my phone stolen. I just thought it was on the blink. In the meantime, armed with my bank card number – plus the three digits on the back, mobile number and date of birth – they were able to clean out my account. I’m a company director, and it would have been very easy to find my date of birth at Companies House.”
He says people have no idea how draining it is dealing with something like this. He criticises Nationwide for allowing the access, but says the building society has at least been helpful since the event. It has told him the £6,000 will be repaid, and offered £350 compensation.
O2 told Money that someone posing as Ellard had twice tried to take over his account but failed the security checks. On a third occasion the phone was reported stolen and the account blocked until the real Ellard reported it as not working. O2 maintains that at no point was Ellard’s mobile account taken over, and claims no other sim card other than the one Ellard had in his phone has been associated with his account.
Nationwide told Money that Ellard’s mobile number had been used to make the Apple Pay purchases linked to his account. When the fraudster tried to make the first Apple store purchase for almost £2,000 it blocked it as unusual – but the fraudster phoned the society and convinced staff that they were Ellard.
A Nationwide spokeswoman says: “Unfortunately, our customer has been the victim of account takeover fraud after his details were compromised. As soon as the society became aware of the fraud it acted swiftly to protect his accounts, and the stolen money was refunded. Additional security has been placed on his account. While we are able to stop most fraud from occurring, it is not possible to stop all. However, when a customer is an innocent victim of fraud we will look to refund their money immediately.”
This is not the first case of a fraudster using a victim’s mobile to access their bank account. In September last year we featured the case of Emma Franks who had £1,500 taken from her after thieves took over her Vodafone account. Someone – not her – had reported her sim card water-damaged, and requested a replacement.
Last month, meanwhile, NatWest was forced to admit that its security measures weren’t good enough after staff on BBC Radio 4’s You and Yours programme were able to hack into a colleague’s bank account and steal a token sum using her phone.
The programme had been contacted by a number of people who had lost money to sim card fraudsters. One of these victims, Robert from East Anglia, said he had lost £3,000. NatWest had tried to blame him for the theft, even though £500 was spent on an online betting site at the exact time he was sitting in a NatWest branch trying to solve the problem. NatWest has since placed a warning about sim swap fraud on its own website, though the consumer is often powerless to halt this scam.
‘Fraudsters are incredibly sophisticated’
Few UK banks have the technology in place to spot sim-swap fraud. One exception is Santander, which uses a system developed by US software firm Fico, which claims to have a 100% success rate in halting fraudulent account takeover attempts following a sim swap.
Fico director Gabriel Hopkins told Guardian Money that his company’s technology is able to detect whether a sim card has been swapped since the last transaction by comparing its unique international mobile subscriber identity number.
If the system detects that the sim card has been changed, he says, it triggers a notification which in turn will prompt stronger checks into the person making the cash transfer – in short, to establish whether or not they are the account holder.
“In many cases there will be a legitimate reason for a sim change. The customer might have upgraded their handset or genuinely lost their phone and had their sim replaced. In that instance, the system will pass the case over to a fraud handler who can then call up the customer and verify their identity before approving the money transfer,” Hopkins says.
He adds that banks have increasingly used mobiles as a way to verify their customer’s transactions because bank customers prefer not to have to carry around card readers or dongles.
“The fraudsters have become incredibly sophisticated, and it’s a battle for all the banks and telecoms firms. It’s easy for someone with a phone number and card details etc, to go into, say, a Vodafone store, go up to the youngest person working there and explain they have lost their phone. That person, trying to be helpful, will give them a replacement sim and they leave the shop with a working replacement – in effect, the fraud victim’s phone.”