Long story short, someone fraudulently ported out my phone number to another carrier, then went to access my PayPal account and reset most of my banking passwords that required 2 Factor Authentication (2FA) using a mobile device.
Luckily, I was quick-ish to react and moved all my funds out of my bank accounts and also change the mobile phone number associated with the bank account. However, they were able to breach into my PayPal account and reset the password first, then by looking at my accounts joined to my PayPal work out which banks I was with.
They are quick, at about 2:30PM on Friday received a port out notification, by 2:45PM my PayPal was compromised by 3:00PM they tried to reset my banking passwords.
I have messaged Optus Chat (from within my account) and was advised they could not do much about it, and a "Port Reversal" was required to be submitted which is fine. I hastily went to an Optus store to get this actioned to find out that it takes 2x business days to action, being a Friday afternoon it would be at least Tuesday before anything would happen.
I have also submitted this case to the TIO, IDCARE and have a signed Statutory Declaration which has been submitted to Optus identity fraud team. What I do find hillarious, is in their automated response it advises this could take 2~4 weeks to action!
I don't know what the Telcos are doing to stop these types of scams from happening, but I can imagine if someone was not quick enough to react to the port-out SMS their security, bank accounts would be heavily compromised. If you look on these very forums, there's also someone asking what their account number is and posted up their entire name, DOB and mobile number.. If these are the only bits of information required to port out a number, then there's some serious lack of conduct and gross negligence by all the Telcos combined.
So rant over, what are my options? Wait out 4 days to get part of my life back on track OR wait what the TIO has to say?
I am sorry that you are going through this.
Telcos have to confirm to the ACMA industry code and rules for number portability - this is what sets the requirements for porting.
2 factor authentication using sms is not the best (my bank actually sent me a physical keyfob to geenerate a one time code to log in).
By submitting the required documentation and requesting a port reversal there is not much else you can do from a telco point of view.
Change your password to your email, paypal, bank etc (on a different computer)
You can also setup 2 factor auth using an app on your phone such as Google Authenticator - does not use sms at all - jsut an electronic version of what I have for my bank.
Ouch. I completely agree that the Telco (not just Optus) response to this illegal activity is well below par. In theory they face costs and liability too so its surprising they don't take it more seriously. At the very least there should be a direct support line dedicated to get an informed responce. I also think that all ports should be subject to at least a 48 hour delay. They can take weeks anyway so making the first the 'customer' hears about this just 15 minutes before completion is a recipe for disaster.
In fairness though once the number has ported, Optus has much less control over what happens to that number. Also requests here online for Name DOB etc. are only asked for over PMs however OPtus also routinely sends out communications SMS, phone calls etc. that also directly request this information before they proceed with the call they made - very bad practice to educate your customers that sometimes giving this information is acceptable.
I use 2FA but it does have its limits as @Paddylee (great advice) says. A very good recomendation to use an App on your phone (Google Authenticator or Microsoft Authenticator etc.) that can add various realtime codes from many sites. Not infallible but does stop this port out scam working.
Personally having been this compromised I would just get a new phone number. Optus should be able to give you a SIM and link it to your account etc. Although if you've 'ported out' then presumably you can just set up a brand new account right now. Just confirm they'll close off the other account with no fees etc. Not sure if that's possible but an option.
Otherwise maybe grab a prepaid SIM for the next month and all you can do is wait.
BTW The TIO is primarily interested in if contractual obligations have been met (and in this case I suspect they have).
Oh my, @HaveBeen. I can certainly see where you're frustrations come from, sounds like you were quite on the balls with changing your passwords and identifying what had gone wrong.
As Peter has mentioned, once a number has been ported to another provider, we don't have as much control as what we would like however I can appreciate that 2 business days is quite a while when you're waiting for your number to be returned to the right provider. With regards to the Fraud team, I'm not under the impression that it will take 2-4 weeks, my understanding is it is way sooner than that, however I'll need to check that for you.
I can understand why you've gone to the TIO for assistance in this case, really sounds like you haven't had much luck in the last few days and I'm terribly sorry for the experience as a whole.
If you'd like us to take a further look into this for you, please don't hesitate to send through a private message confirming some details, we'd be happy to take a look.
Once again, apologies for the experience.