XPost: uk.telecom.mobile

In comp.mobile.android Carlos E.R. <[email protected]d> wrote:

On 2025-03-05 14:25, Frank Slootweg wrote:

Chris <[email protected]> wrote:
[...]

Fortunately, the victim has had his 40k refunded.

Do you have a reference - with details - for that? I.e. who accepted responsibility for which fault(s)?

Quote: «National Savings and Investments said it had refunded him the
money taken from his account.»

And that's the £40000, because earlier it reads (quote):

«Worse news was to come, when he learned his National Savings and Investments password had been changed.

"After an hour of talking to different people there, they said, 'You've actually taken out a very large amount of premium bonds, over £40,000'," said Stephen.»

What I don't understand is how that's a fraud vector. NS&I premium bonds
(a kind of government-backed savings account with 'interest' generated by a lottery-style algorithm, with certain tax advantages because they count as a lottery not savings) used to be paper things that you could 'hold'. But nowadays it's all electronic - it's a savings account in your name
effectively. So if he did buy £40k of premium bonds, I don't know how the fraudster would have cashed that out - unless there's some flaw in the PB system?

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: uk.telecom.mobile

In comp.mobile.android Newyana2 <[email protected]> wrote:

On 3/7/2025 8:24 AM, Java Jive wrote:

It seems very likely that I was correct.  Rereading the original BBC report, there is a single sentence which most of us seem to have missed
on first reading ...

"O2 Virgin Media confirmed the scammer telephoned its call centre requesting a new Sim and had hacked Stephen's emails."

It's confusing, but that seems to be backward. The scammer
called the phone company, giving email and name to get the
cellphone number, then initiated a SIM swap. That, then, gave him
the means to change the passwords.

It would be interesting to see a security expert look at this
in detail. There are many reports online, but they all seem to be
reprints of one poorly researched article.

The radio programme is here and starts at 40m50s (not sure if BBC Sounds is geoblocked but I don't think so):
https://www.bbc.co.uk/sounds/play/m0028bj1

In brief:
- received a text from O2 (mobile operator) saying he'd changed his password
- contacted O2 straightaway and told SIM had been swapped
- told they'd stop that and send out a new SIM card, emailed to confirm
- next morning, email from EDF (energy supplier) asking for feedback on
recent contact with customer services
- called EDF, told they'd pass it on to the fraud section and get back to
him
- nothing happened for over a week
- called O2 again to make sure everything was stopped, put through to fraud department
- just after received an email saying new SIM card had been sent out,
connected to a different number. Queried with fraud department, said didn't know, need to go to an O2 shop
- O2 shop couldn't do much as account had been stopped, couldn't look at it
- told them to check his emails
- contacted Virgin Media (ISP, merged with O2), told he'd changed his
password, had to go through changing password back again, told they'd pass
it to the fraud section
- thus far not had a conversation with any fraud section
- contacted various banks to check everything is ok, told they'd put in
extra security
- tried to make a payment on Nationwide card, couldn't go through because
they couldn't use the landline for the OTP. Told there was a problem with
the card, need to go to a Nationwide branch.
- told someone had attempted to use the credit card for £200 of voucher
codes, had been stopped. Gave two extra passwords to enhanced security.
- got an email from National Savings &I to say password had been changed
- rang NS&I straight away to say it hadn't, went through very long procedure
to verify who he was and get a new password
- after an hour, told you'd taken out a large amount of premium bonds, over £40k
- NS&I fraud rang the next day, explained they had suspicions but asked for
the money to come back, could be 15 working days
- only way to get anywhere with O2, VM, EDF is to pay for Linkedin Premium
and have access to messaging the executives.
- Senior EDF executive contacted, listened to the call with the fraudster,
said like it didn't sound like him at all. Seemed to have name and email address, asked EDF for mobile number and was given out to them.
- Told scammer had gone through security just with name and email address. Offered £50 goodwill gesture for closing the case. Since agreed it has been
a data breach.

NS&I say he will be refunded fully.
EDF say security procedures were followed but subsequently recognised it was fraud.
VMO2 says scammer had called them and passed security.

Expert says this all started from Ofcom (regulator) making it easier to
change mobile provider in under 2 mins. Some mobile operators thinking in
that way and not thinking about scams - can switch within networks without
even needing the code.

----

Speculating, I would guess they started with the SIM swap. I don't know the
O2 procedure, but it's possible to have SIMs which are unregistered or only lightly registered (eg no online account). In that case there isn't much security information the operator has, or it could be easy to find out
(pet's name, place of birth, etc). Scammer contacts the provider to say you broke your SIM card and need a new one and they don't have very much to authenticate you. If they can make that stick they can maybe then do a password reset on the email which uses SMS as a recovery mechanism, and then they're in.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: uk.telecom.mobile

In comp.mobile.android Java Jive <[email protected]d> wrote:

On 2025-03-15 12:35, Newyana2 wrote:

On 3/15/2025 7:46 AM, Java Jive wrote:

On 2025-03-14 18:49, Theo wrote:

Speculating, I would guess they started with the SIM swap.

The original report suggests that they started with an email hack, and
used that to facilitate the SIM swap.

  That's not what it said.

Look back directly up thread to my post of 2025-03-06 19:53, where I
quote the single sentence in the original report that stated that an
email hack had occurred before the SIM-swap scam was done.

What's a complicating factor is that Virgin Media O2 is both his mobile
phone provider and his email provider. I don't know how integrated VM and
O2 systems are since the merger, but it's possible one login allows access
to both the emails and the mobile account. That is an unfortunate single
point of failure.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: uk.telecom.mobile

In uk.telecom.mobile Java Jive <[email protected]d> wrote:

It makes perfect sense, what you are claiming makes no sense, and shows
that you have lost the chronological sequence of events. For one thing,
the use of the word 'had' implies that the hack was already in place at
the time of scammer's phone call, otherwise they would have said
something like "... and hacked ..." or "... used it to hack ..." or "...
and went on to hack ...". Further, if you reread the original report in
its entirety, how would he have persuaded EDF to give up the victim's
mobile number without personal identifying information that came from
access to his emails? Next, how would he have been able to confirm the request for a replacement SIM without being able to reply to the
confirmatory email?

When I've had to do a SIM swap (some time ago) it was all done on security questions, there was no confirmatory email. I don't think the mobile
networks required an email address, and if you're on PAYG they still
don't.

I think there is not enough information to be clear about the sequencing, especially since emails and mobile are provided by the same company.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: uk.telecom.mobile

In uk.telecom.mobile Java Jive <[email protected]d> wrote:

On 2025-03-16 15:13, Theo wrote:

In uk.telecom.mobile Java Jive <[email protected]d> wrote:

It makes perfect sense, what you are claiming makes no sense, and shows
that you have lost the chronological sequence of events. For one thing, >> the use of the word 'had' implies that the hack was already in place at
the time of scammer's phone call, otherwise they would have said
something like "... and hacked ..." or "... used it to hack ..." or "... >> and went on to hack ...". Further, if you reread the original report in >> its entirety, how would he have persuaded EDF to give up the victim's
mobile number without personal identifying information that came from
access to his emails? Next, how would he have been able to confirm the
request for a replacement SIM without being able to reply to the
confirmatory email?

When I've had to do a SIM swap (some time ago) it was all done on security questions, there was no confirmatory email. I don't think the mobile networks required an email address, and if you're on PAYG they still
don't.

I think there is not enough information to be clear about the sequencing, especially since emails and mobile are provided by the same company.

No, how would he have known the answers to the security questions to
enable the SIM swap, and his emails were from Virgin Media, while the
SIM was from O2. Although not initially, my reading of the original
article is now unambiguously that the email hack preceded the SIM swap
and provided the initial personal information necessary to accomplish everything that followed.

Virgin Media O2 are one company - VM and O2 merged June 2021. I don't know whether they have merged customer accounts such that the same security
details are used for both. In which case it may be that one set of details gives access to both mobile and emails.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)