Sponsored Links

Security concerns with mobile provider.

Adamskiodp

Casual Member
I have become aware that my mobile provider has had an increase in unauthorised SIM swaps and PAC transfers.

This is made worse by not having any telephone support and an up to 24 hour wait for an online response.

This gives the hackers time to cause financial havoc which may not be resolved for days/weeks.

So . . . . My question is, which UK mobile networks have a rapid response to unauthorised SIM swaps/PAC transfers?

Which providers carry out extra checks to make sure that the SIM swap/PAC request is from the genuine account owner in the first place? Currently all it takes is to request the transfer via email and within a few minutes your number is in the hands of someone else which can be used to reset passwords on many other online accounts effectively locking you out.

This is just one example of many sadly

 
Three ask for your date of birth when requesting a PAC as additional verification. Some Vodafone accounts will ask for the account PIN when requesting it too. But that's about as strict as it gets.

In terms of quick support, I am with CMLink (EE) Who have 24/7 support and answer calls at all hours of the day or respond to emails within minutes. If you get a PAC and provide it to another network they send a confirmation email saying your number has been booked for porting on X date and to contact them if it wasn't you. They would at least pick up your request quickly and cancel the PAC.

For security, porting away from a mobile network and into a VoIP service like A&A Could be a solution? They don't offer automated porting. If you want your number you have to contact customer service and clear security to do so.
 
I can share Tesco Mobile's practices if that's of any interest to you:

  • In order to access your account, we pass DPA which is answering your name, security question and DOB.
  • If it fails, it will be logged and the account holder is notified via SMS.

  • In order to do SIM swaps, we need to pass high level security with an OTAC (2FA code by SMS or email).
  • The registered email cannot be changed without OTAC. The SMS is sent to the Tesco number, not the contact number.

  • If a SIM swap is requested, it has a 24 hour security hold and the number is immediately sent a message informing them that it has been requested.
  • There is an option to cancel it within that time period.

  • The alternative option is to order a SIM replacement, which only requires passing DPA and not OTAC. That will deliver it to your registered address with tracked postage.
  • To change the address, it also requires OTAC and will inform you by both SMS and email that the address has been changed.

It's pretty airtight, often to the dismay of customers that they have to wait 24 hours for their new SIM to be active. You can bypass that hold by texting SWAP to 23424 from the old SIM as this method assumes it's the account holder as they already have the original SIM.

Other networks may have different practices. Personally I think Onfido would be pretty cool where we can scan a customers ID and face to confirm their identity. That would let us give a working SIM immediately as we know it's them. I'll just keep on dreaming 😭
 
Sponsored Links
Key point is this:
  • Unbeknownst to him, the attacker had taken over his online GG account, changed the password and locked him out.
Does giff gaff not send a passcode to a mobile number when logging in from a new device? Even if my SMARTY OR Vodafone login credentials were ever compromised, the individual still couldn’t log in without first receiving a 2fa code via text.
 
I've been thinking about this recently as a couple of weeks ago I got a great number on a free Three PAYG SIM so switched that to be my personal number.

Yes, Three did ask for DoB after I texted for a PAC.

But looking at the account settings on my other SIMs, the only way I think I can secure the PAC is by requesting a PAC every thirty days and letting it expire.

I was also concerned that momentarily leaving a phone unguarded, what is to stop someone texting for a PAC, texting their phone to get your number then deleting the SMS messages? Would take seconds.
 
without first receiving a 2fa code via text.
It appears the it's the 2FA that the issue.

The easy bit seems to be for a hacker to gain access to your email account. Once they have that, they can request a SIM swap via email and once they have your mobile number on a new SIM, they can request 2FA codes for other online accounts.

It's a lengthy thread but interesting (and scary reading) https://community.giffgaff.com/d/34108737-stem-the-flow-of-sim-swap-pac-port-fraud
 
Sponsored Links
I've been really concerned with this type of thing for a long time. The only thing I could come up with was using a second phone number for all 2FA. The number is not ever linked to my email account and no-one I know or ever meet would know that phone number. If someone stole my main phone number it wouldn't actually give them access to anything really important.
 
I have become aware that my mobile provider has had an increase in unauthorised SIM swaps and PAC transfers.

This is made worse by not having any telephone support and an up to 24 hour wait for an online response.

This gives the hackers time to cause financial havoc which may not be resolved for days/weeks.

So . . . . My question is, which UK mobile networks have a rapid response to unauthorised SIM swaps/PAC transfers?

Which providers carry out extra checks to make sure that the SIM swap/PAC request is from the genuine account owner in the first place? Currently all it takes is to request the transfer via email and within a few minutes your number is in the hands of someone else which can be used to reset passwords on many other online accounts effectively locking you out.

This is just one example of many sadly

1) don;t use sms 2fa
2) use a yubikey or perhaps a passkey (I favour the former)

This posted link - need to go and remove 2fa from all accounts where possible and switch to yubikey!
 
Sorry I'm really confused by this. So how does it all start? The attacker has the giff gaff account password?
The attacker already has access to your email account when you unwittingly respond to a phishing email/SMS.

Once they have access to your email, they can log into your giffgaff account because they send the 2FA code to the email address and they can then change the account password and swap your mobile number to a new/blank SIM (or eSim) in their phone.

This is because giffgaff do not use another method to make sure that the person requesting the SIM swap is the actual account owner.

Once the hacker has control of your email and mobile number, they can access other online accounts including, your bank, PayPal, Amazon etc . . .
 
Sponsored Links
So basically it's a non issue if you are not compromised already?

I got so lucky in like 2005 when my mum fell for an Ebay phishing email. They listed stuff for hundreds of pounds. My mum so concerned gave me the Friday off school to get it fixed and contact Ebay (found out around 8am). Ever since then have been very diligent about phishing and security.
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £25.99
145Mbps
Gift: £50 Reward Card
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (6024)
  2. BT (3638)
  3. Politics (2720)
  4. Business (2439)
  5. Openreach (2405)
  6. Building Digital UK (2330)
  7. Mobile Broadband (2143)
  8. FTTC (2083)
  9. Statistics (1899)
  10. 4G (1813)
  11. Virgin Media (1762)
  12. Ofcom Regulation (1582)
  13. Fibre Optic (1467)
  14. Wireless Internet (1462)
  15. 5G (1404)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules