“Sick to the bottom of my stomach”: one man’s horror experience of identity theft in Australia
Beware: thieves can use your phone number to steal your identity and your cash. Here's how one Sydney man lost $2,000 in under an hour.
For more on identity theft, check out episode #111 of Finder's Pockey Money podcast.
Identity theft in Australia is on the rise. Australians lost $4.3 million to ID hackers in 2019, according to ScamWatch. This figure is almost three times the total amount lost in 2018.
The tactics currently used by identity hackers are so sophisticated that even an expert can fall victim. If this isn't alarming enough, these attacks can happen fast and leave the victim out of pocket and trying to sort out the mess for weeks or sometimes months.
Finder recently spoke an IT worker living in Sydney who, despite having a good knowledge of the risks of tech and data theft, had his identity stolen and his online accounts hacked. Paul, who has asked Finder to withhold his full name for professional reasons, designs ID security systems for a living. He says his experience has forever changed the way he will approach his own security online."Hello from Telstra. A request to replace the SIM card for your number has been received. If this was not authorised, please call us immediately on 13 22 00."
Paul received this text message late one Friday afternoon but didn't notice straight away. By the time he did, his SIM card had already been disconnected from the Telstra network and his phone no longer worked. What he didn't realise was that this was far from a simple telco stuff-up.
Friday: Where are all the managers?
Many businesses begin to wind-down for the week on Friday afternoons, making this a convenient time for hackers to attempt identity theft. As soon as Paul read the text from Telstra that day, he borrowed a colleague's phone and called to sort out the issue with his own phone.
"They told me that I had placed an order requesting my number be moved to a new SIM. I explained that no - I didn't, I'm responding to your text. We ended up going round in circles. I asked the operator to reverse the order and block the new service. She said she couldn't as the process had been completed."
While on the phone, Paul checked his bank account and discovered that someone had already transferred $15,000 from his savings to his current account and made two $1,000 cash withdrawals. Paul described what was happening to the Telstra operator who advised him to contact the police, as there was nothing Telstra could do.
Next, Paul rang Commonwealth Bank who said the two cash withdrawals had been made with a new debit card delivered to his home. It appeared that someone had stolen the card from Paul's mailbox and activated it. Paul says he isn't sure how the extra personal information required would have been accessed. He locked down his account, cancelled his cards, called Telstra back and spoke to another operator who agree to suspend his service.
Later Paul went to the police to file a report. He also used his wife's phone to check his emails and discovered his phone has been used to access to his Google and PayPal accounts as well, where more personal information was available.
Saturday: Changing all the passwords
Paul spent most of Saturday changing passwords for every account he could think of - over a hundred in all. He set up two-factor authentication using Google and Microsoft apps where possible. After all of this, Paul received a notification saying that a $30 Telstra recharge had been purchased using his PayPal account.
Somehow, despite changing all his passwords, someone still had access.
Monday: Store hopping
By Monday morning, Pauls' phone was still offline. With another visit to a Telstra store now required on top of trips to multiple banks to collect new cards, Paul was forced to take the Monday off work.
"The guy in the Telstra store told me that my phone was registered as stolen, and I needed to go to the Apple store to unblock it. When I went to the Apple store, they told me there is no way that they can block a phone in this way."
At Apple they put Paul's SIM into another phone - where it worked. Paul then checked the status of his IMEI (phone ID) number using the AMTA service, which reported that his phone has been blocked by Testra. He went back to the Telstra store where, after three days off-grid, his phone was finally unblocked.
So exactly why did this process take so long and is this norm for most customers who experience identity theft? We contacted Telstra to ask. A spokesperson says Paul's initial call was mishandled by advising him to contact police rather than escalating the issue to a specialised team, and that his in-store inquiry was mishandled by sending him to Apple rather than unblocking his phone initially. "We get it right most of the time but in this specific case, we didn't. We're very sorry this happened to Paul and we are attempting to reach him to get feedback."
Finder spoke to Paul after the follow-up contact from Telstra. "Telstra called with some tips about how to stay safe online, but didn't apologise. Worse, they denied to me that they were the ones who had blocked my phone, only to change tracks later. I feel like I only received this call because of my interview with Finder as I had submitted a complaint earlier, but never heard back. What's a regular customer supposed to do?"
PayPal told Finder that it will credit Paul for the disputed Telstra payment.
With apparent access to his address, driver's licence details and date of birth, hackers still had the potential to do a significant amount of damage. To protect himself further, Paul contacted all three Australian credit agencies to place a ban on his credit file, preventing new credit applications from being made in his name.
He also called Roads and Maritime Services to attempt to get a new driver's licence number but was unable to do so as he couldn't provide direct evidence his licence had been used for fraud. The Maritime Services Board told Finder that a new licence number can only be issued in NSW when the licence itself has been used in identity theft or serious crime.
Cruise shock: Another attempt
Several days after these events, Paul's cruise holiday was interrupted by another hacking attempt. While waiting to leave the passenger terminal in Sydney, Paul discovered that someone had once again gained access to his bank account and ordered a new debit card to arrive at his home while he was away. For a second time, Paul was forced to cancel his bank cards.
Commonwealth Bank refunded all of the stolen cash, with interest. "Where there is fraudulent activity, our process is to fully reimburse our customers as quickly as possible to minimise inconvenience," a Commonwealth Bank spokesperson told Finder.
Paul was forced to cancel his bank cards. He has not experienced any new hacking incidents since. This experience, however, has left him with an ongoing fear of another attempt.
"As I was watching the money coming out of my account, I was sick to the bottom of my stomach. I felt like I'd been attacked. That feeling that I got when I watched the first thousand disappear just hasn't gone away."
The lessons learned
Paul's story highlights the fact that ID theft can happen to anyone. He told Finder that he wishes he had increased security on his accounts before this incident, and will be far more wary of having new cards delivered to his home in the future.
One way to reduce the risk of personal details being used if they may have been compromised is to change those details. Paul now plans to close all of his current bank accounts, get a new phone number, and make another attempt at getting a new driver's licence number.
"It's a pity", Paul said "that I can't change my date of birth too."
Tips to prevent identity theft happening to you:
- Set up two-factor authentication on every personal account using an authentication app such as Google or Microsoft Authenticator rather than SMS as the second factor where possible.
- Make sure to regularly check your credit report online (for free) and monitor it for suspicious activity.
- Never get new credit or debit cards delivered to your home, especially if you have an outdoor mailbox.
- Download the myGov Authenticator app and connect it to your account.
- Set up a voice-biometric ID and additional secret question with the Australian Tax Office.
If you do fall victim to identity theft:
- Check all of your online accounts accounts for suspicious activity and cancel any bank cards which may have been compromised.
- Place a temporary ban on your credit reports via email with Australia's three credit agencies Experian, illion and Equifax.
- If your driver's licence details have been compromised, report this to the relevant body in your state.