Criminals are renewing their efforts to steal New Zealanders' phone numbers by abusing weaknesses in verification systems for number portability, with potentially devastating consequences if they succeed.
Porting fraud or SIM swapping is a big problem overseas. New Zealanders aren't spared either, forcing the telco industry to rethink how to customers can shift their number safely yet conveniently.
• Police arrest 13 for money laundering as 'sophisticated phone scam' allegedly costs Kiwis millions
• ASB Bank warns customers receiving scam texts about account suspension
• Kiwis lost $33 million to online scams and fraud last year
• Premium - Company director and manager jailed for 'sustained period of deception' in multi-million ANZ loan fraud
Vodafone spokesperson Nicky Preston said that while porting fraud is rare, the telco has seen an increase in the type of scam in recent weeks.
Last year telcos had to change their porting processes including asking customers to visit physical stores with valid identification, to make SIM swapping fraud harder.
Not every telco has stores though. Physical visits are not required with Spark's budget brand Skinny which is online-only and lets customers port numbers via its website.
To port a number, you buy a Skinny Subscriber Identity Module (SIM), dial 456 to activate it, sign up for an account with the telco and submit a "Keep My Number" request.
The security measures that Skinny have include asking prepay customers to provide the 16 to 17 digit serial number printed on their SIMs. On-account customers need provide account numbers from their old telcos.
Those and other measures don't appear to be enough to fully stop porting fraud.
Elle Dorset from Spark said "we are aware of some instances of porting fraud in New Zealand which has emerged as a new form of SIM swap fraud after all the Mobile Network Operators tightened up the SIM swap process.
"This is an issue that affects all telcos, and Skinny is not exempt."
"Skinny and other telcos' problems are due to the rules around communicating with customers who wish to port to another provider", Dorset said.
To avoid call centre staff being social engineered by fraudsters, Vodafone has put in place several security measures.
"When customers contact Vodafone, we require they provide their PIN number or we ask a series of security questions – and we are always investigating additional ways to protect our customers from fraudsters," Preston said.
"With Kogan Mobile, we have security checks in place to verify the identity of a caller." she added.
2 Degrees mobile spokesperson Katherine Cornish said: "We allow porting and SIM swaps in store and online, though it's fair to say we have tightened our controls and procedures around this in recent times."
"While there will always be attempts at fraud, these new measures have seen a reduction in successful attempts to defraud customers," Cornish said.
Stealing your mobile phone number can be very profitable for fraudsters. Plenty of providers and businesses, including banks, send two-factor authentication codes for logins and transactions via Short Messaging Service texts.
Many call centre systems store and recognise customers' phone numbers as well as an identifier, making it easier for fraudsters to impersonate you.
Porting fraud can also be used to dent someone's reputation. In August, it looked like Twitter boss Jack Dorsey was sending out offensive tweets to his 4.2 million followers, much to their surprise.
Dorsey had had his mobile number ported, and the attackers abused the Twitter feature that lets users tweet via SMS.
This is how Twitter was originally designed to work and the social media company had to turn off tweeting via SMS after Dorsey's account was hijacked. The attackers have been taking over other online influencers' accounts as well using the same technique.
Porting fraud can cause real damage, and the Australian government last week decided to tighten up identification rules for porting.
There's been a large increase in porting fraud across the ditch, with at least 2000 people having their numbers nicked. Elsewhere porting fraud is a huge problem, especially in countries where mobile payments are popular.
Demonstrating how popular the technique has become, last December one gang ported the numbers of over 5000 people in Brazil, targeting their mobile payments.
While it does happen in New Zealand, industry organisation Telecommunications Carriers Forum chief executive Geoff Thorn said the problem isn't as bad here.
Nevertheless, Thorn said TCF and the telcos are planning measures to make porting fraud harder.
One issue is that current Commerce Commission rules don't allow subscribers' existing providers to contact them, for competitive reasons. That may have to be tweaked, along with other changes to ensure that the people requesting porting are who they say they are.
Number portability was introduced in 2007 to boost competition in the telco market. The challenge is to ensure that porting numbers stays quick and easy, yet secure enough to avoid fraud. Making the process too complex could discourage people from moving providers, and hurt competition.
What should people do if they notice something is wrong, like the phone signal disappears for no reason?
"If a phone unexpectedly stops working, people should report it their provider as soon as possible, in case it's porting fraud."
"They might need to use another phone or send an email to do it, but they should contact their provider quickly," Thorn advised.
Porting fraud is another reason why authentication with SMS codes or even voice calls should stop sooner rather than later. Verifying your identity is better done on devices themselves, either via one-time codes or hardware keys that only you have access to.
This year has seen the first batch of SIM-swapping criminals being convicted for fraud, after they ported numbers to steal users' crypto-currency.
Despite the recent court cases, porting fraud remains a lucrative crime that'll tempt other attackers to look for weaknesses to exploit.
Nobody wants number portability to go away and all of us, including the telco industry and regulators, need to be vigilant and quick to respond.