Spark, Vodafone and 2degrees say they have tightened protections after a spate of sim card hijacking scams cost 20 Kiwis more than $1 million.
A sim card hijack or "sim swapping" (see Herald Graphic below) lets an offender take over your mobile phone number - allowing them to pretend to be you, and also to receive text confirmations that can allow them to, for example, change the password on your bank account.
On March 19, the Herald reported 10 sim card hijacks had cost victims an average of $30,000 each.
The new type of scam was first revealed by the Herald in October last year, when former Alliance MP Matt Robson discovered his phone had been changed from his Vodafone number to one on Spark's Skinny service without his knowledge.
The sim card hijacker drained $20,000 from Robson's bank account before he could cut through the red tape-heavy process of claiming back his mobile number.
Now police have revealed a string of alleged sim card hijacks by an unnamed New Zealand-born, Hong Kong-raised man - whom Stuff reports allegedly scammed $500,000 from three victims: a woman in Mangawhai Heads who lost more than $200,000, a retired man in Remuera who lost $180,000 and an Otago-based real estate agent who lost $120,000 after his Westpac password was changed.
The man is said to have fled the country.
Auckland City Detective Inspector Scott Beard told the Herald that between October last year and January, the Auckland Financial Investigation Team knew of about 20 cases of sim swapping, "although it appears to have stopped since then".
"The recent spate of sim swap offending has caused losses of over a million dollars."
Three people have been charged with sim card hijacking offences, Beard said.
"All three are New Zealand citizens. One offender has already been convicted and sentenced to a term of imprisonment. A second offender is in New Zealand and remains before the Court. A third offender is outside New Zealand and is the subject of an outstanding arrest warrant."
Beard said a sim swap in Wanaka was still being investigated.
Sim swap attacks the process of porting or "number portability", which lets you take your phone number with you when you switch service providers - which was introduced to boost competition.
Rob Pope, head of the government's Computer Emergency Response Team (CERT NZ), said the scam had been around for some time overseas, but last year was the first time it appeared in New Zealand.
Pope said the key step people should take to protect themselves is to not use two-factor authentication (or "2FA") that involves a mobile phone. That's when you don't just have to type a password into your computer to access a website but also a code is texted to your phone.
People should look for an alternative confirmation, such as a code sent to an app.
Also, two-factor authentication also commonly asks for the answer to a security question such as "What is your mother's maiden name?". Pope says unfortunately that information is usually easy to find online. The solution is to set up security questions with untrue answers.
Industry group the Telecommunications Forum (TCF), whose members include Spark, Vodafone and 2degrees, oversees number porting. Its head, Geoff Thorn told the Herald the group was well aware of the hardship the frauds cause.
"Each of the mobile operators has changed its processes to make it harder for fraudsters to swap a number to their own device.
"The TCF is exploring the possibility of making technical changes, which will provide additional protection to consumers."
Spark: Well-intended protection backfires
Spark spokeswoman Sam Smith told the Herald its customers have to visit a Spark store and show identification before the swap can be approved.
"These measures have been extremely effective, however porting fraud where customers [move] their number to another service provider is more complicated and requires a coordinated industry-wide change to the porting rules.
He said customers wanting to move their number are asked their name, the number to be ported and their account number or Prepay SIM card number. This information is sent to the IPMS (Industry number Portability coordinating System) managed by TCF and is then verified and approved or declined by the LSP, or service provider the customer is leaving.
He said it is up to the LSP to approve the port but the provider is not allowed to contact the customer directly as it could be seen as an attempt to win back the customer, "which is against the original anti-competitive spirit of the porting rules".
"The industry is exploring whether it is feasible to introduce a validation step to the porting process so the customer has to confirm the port is valid before it will proceed."
A TCF working party is also developing a code that would create one central place for all scam reports to be filtered into.
"The code involves organisations such as banks, police, online safety organisations, as well as telcos and would therefore provide a full and accurate picture of the scamming landscape in New Zealand. Industry has a similar code for scam calling and we are seeking to replicate this for mobile messages, too," Smith said.
Vodafone: Increasingly sophisticated attacks
Vodafone NZ, spokeswoman Nicky Preston said the rising phishing schemes were "frustrating and upsetting".
"We urge New Zealanders to be aware of potential phishing attacks and stay vigilant – as fraudsters will try to obtain a customer's personal information from many different organisations, via increasingly sophisticated methods, and by using topical situations like the Covid-19 pandemic.
"We ask all customers to regularly change their passwords and PINs and never give out personal information unless they are certain who they are dealing with.
"SIM swapping fraud is complex but we are doing everything we can to combat fraudsters and to further protect Vodafone customers. We are working closely with other telcos and the TCF to develop additional industry-wide measures to make SIM swapping fraud more difficult, including assessing international best practices."
What to do if you're hit by a sim card attack
• Report it to your mobile phone company
• Report it to Crown agency Cert NZ, who will put you in touch with the right law enforcement personnel
• Report it to the Telecommunications Forum, the industry body that handles number porting