Contrasting the telco statements last week about tightened up security procedures for number porting with how barrister Matt Robson, former Alliance member of parliament and cabinet minister lost his number and had to fight to get it back point to current rules badly needing changing.
There's no warning when porting fraudsters strike. Robson noticed on the afternoon of September 24 that his phone had no network coverage for no apparent reason.
His phone did not reconnect to the network and the following morning Robson visited the Vodafone Queen Street store to be told by a representative that his number had been ported to Skinny.
• Police arrest 13 for money laundering as 'sophisticated phone scam' allegedly costs Kiwis millions
• Phone scam: Hundreds of victims as thousands of dollars posted offshore
• ASB Bank warns customers receiving scam texts about account suspension
• Phone scam: Two arrests in relation to people fleeced of hundreds of thousands of dollars
The person who had requested the number transfer to Skinny was allegedly Matt Robson himself.
An astounded Robson said he never authorised the transfer of his phone number, which he has had for over two decades.
Unfortunately for Robson, this is where his efforts to get the number returned got bogged down and gave the fraudsters time to rob him.
"Vodafone's front line staff didn't seem to know what to do, even though I offered to prove my identity with a passport," Robson said.
The Vodafone representative in the Queen Street store refused to call Skinny about the porting as that's against the current rules.
Without a working mobile Robson used another phone at his office to call Skinny's 0800 number.
While on hold, Kiwibank rang Robson's office number to tell him that his accounts had been frozen.
Someone posing as Robson used his number and the bank's Smart Phone facility to transfer money into two other Kiwibank accounts.
"They took $20,000 but as they tried to empty all my accounts at the same time, Kiwibank noticed it quickly and froze them," Robson said.
The same fraudster also used Robson's phone number to reset his Microsoft account password. After the password change, the fraudster obtained confidential client information and had access to sensitive data on his computer, Robson said.
Despite advising Skinny that he'd been defrauded, the telco refused to block the number.
Robson sent a complaint letter to Skinny, and noted that the Spark-owned telco "had clearly not asked for any standard Know Your Client (KYC) identification (passport, utility bills, etc) from the person who impersonated me."
He returned to Vodafone Queen Street and managed to get a reluctant representative there to call Skinny to block phone number return it to Vodafone which was again unsuccessful.
Vodafone told Robson to report the porting fraud to the police. What the police did beyond acknowledging the report isn't known to Robson who has not received any updates.
After Vodafone's fraud investigators got involved, Robson got his phone number back.
However, the agonising process took several days of going back and forth.
On top of the financial loss and privacy breach, Robson had to seek paid help from an infosec professional to secure his communications.
Whose responsibility is it to verify porting requests? In this case, it was Vodafone's job, Spark spokesperson Elle Dorset explained.
"The current law determines the process and it's up to the LSP (losing service provider) to verify and approve the port." Dorset said.
Vodafone is however not permitted to contact customers directly as it could be construed as an attempt to win back their business.
Dorset said that prepay mobile providers in NZ are not legislated to capture any KYC identification beyond what's necessary for the port to be submitted.
Those details are the phone number, current provider plus the SIM and account numbers, but beyond that prepay connections are anonymous in New Zealand.
Skinny did not block the number as that would have prevented it from being ported back to Vodafone, Dorset said.
"We have not provided financial compensation to customers affected by this type of fraud," Dorset said.
Instead, she said it's for banks to reimburse people who have had funds fraudulently withdrawn from their accounts, provided they're satisfied that the customers are not complicit in the fraud.
Vodafone spokesperson Nicky Preston explained that social engineering by the fraudsters helped the porting attack to succeed.
"This customer, Matt, was subject to a phishing attack and the fraudster managed to get around Vodafone's security questions by supplying Matt's personal information that had been gained via another means," Preston said.
"We're not sure how the fraudster obtained Matt's personal information in this instance, but in other cases we have seen birth dates pulled from social media sites or account details taken from stolen postal mail," she added.
"We've been working closely with the telco industry body, the Telecommunications Forum (TCF), to put additional measures in place to make porting fraud more difficult in New Zealand. Other countries have put similar measures in place, for example Australia implemented a 'Pre-port Verification Process' in mid-2018," Preston said.
Robson's experience shows that the additional measures can't come too soon, and for now beware of posting identifiable details on social media and watch out for letters from providers being intercepted.