How a woman’s identity was stolen with three simple questions

Sue King had her identity stolen.

KATHERINE GRIFFITHS/FAIRFAX MEDIA

Sue King had her identity stolen.

Australian woman Sue King was holidaying in the US when she received an odd email from Uber on her WiFi-connected phone saying she had just taken a short ride to the Sydney suburb of Canterbury.

That day in late May became stranger when her Facebook friends began asking her why she was requesting a reference for a loan. One pointed out her account may have been hacked.

Alarmed, she contacted her internet provider Telstra, which told her an impersonator had passed all identity checks and gained access to her account, changing her email password.

A fraudster gained access to Sue King’s Telstra account.
CRAIG SILLITOE
A fraudster gained access to Sue King’s Telstra account.

“All that person needed was my full name, date of birth and home address to get into my inbox and I’m concerned it’s just too easy,” said King, a teacher.

READ MORE:
* Online scams becoming more sophisticated
* Fraud Awareness Week reveals the scale of NZ’s fraud epidemic
* Ivy league educated banker charged over alleged $140m fraud scheme
* Serious Fraud Office investigating multiple corruption claims
* Identity theft victim chased by debt collectors over passport fraud
Sign up for the Two Minutes of Stuff newsletter
“I also have a feeling they stole my mail, because they gave Telstra my account billing number.”

The use of such simple identity verification processes is widespread, with information security experts saying big organisations are struggling to strike a balance between solid security and seamless customer experience.

King managed to change her email password but the worst was yet to come. When she returned home, she couldn’t use her mobile phone because her Optus number had been transferred to another SIM card.

She found out the fraudster had tried to mess with her details at Teachers Mutual Bank and enter her PayPal account.

Her Commonwealth Bank card was swallowed by an ATM because of irregularities. And she discovered $3800 was transferred over 10 days to an online merchant using her St George Bank credit card.

A Telstra spokesman confirmed that as a minimum it verified a customer’s identity using their full name, date of birth and home address.

He said the telco considered its identification process “adequate” and similar to that used by other business across many industries. It was constantly under review.

“In this instance, it appears the customer’s identity was obtained fraudulently as the scammer provided the necessary verification information … also providing the account billing number,” he said.

King has since swapped from paper bills to email and changed her passwords. She said the police were also investigating her case.

James Turner, an adviser at Intelligent Business Research Services, said security teams at companies were working hard to strengthen identity verification procedures, but this had to be balanced with customer experience.

He said while identity checks, such as that used by Telstra, were common, it was important to note signatures – “the weakest biometric ever” – were still being used.

“We’re dealing with the area of risk. It’s not a binary situation of ‘They must have done more’,” he said.

“I know the heads of security of all these large organisations and they are genuinely concerned and constantly trying to raise their capabilities so the easy way is the secure way. That’s the end game,” he said.

“It’s like turning an oil tanker, when you’ve got marketing people saying: ‘No, no, we need to make this as fast and friction-less as possible’.”

David Lacey, founder of Australia’s only free helpline for victims of identity fraud IDCARE, said companies should place greater focus on the way they help victims who in some cases feel like they’re treated as criminals.

“If you’re not harmed by the crime itself, you almost certainly will be by the response [of the telcos and other service providers],” he said.

He said the number of calls to the hotline has been doubling every three months. He said a criminal begins abusing a person’s identity within 48 hours of it being stolen.

“You don’t ever get your identity back once it’s stolen. They have a life sentence, because the problem can re-appear in the future,” he said.

PROTECT YOUR IDENTITY

– Ensure all devices have the newest available security updates and run weekly anti-virus and malware protection software.

– Never open or click on links from emails you don’t know.

– Never provide your personal or security details in response to any email, even if it looks legitimate.

– Where available use two-step authentication – such as SMS codes to your mobile.

– Regularly change your passwords and PINs and be careful about selecting your passwords.

– Never communicate personal details on social media sites.

– Ensure you have a secure letterbox for postal deliveries.

Source: IDCARE

– Sydney Morning Herald

 

 

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s