An Australian doctor was about to take her family on a two-week holiday when she noticed an unusual transaction in her bank account.
A few months ago, Christine’s* worst fears were realized when she received a notification from a caterer that she’d spent $79 on a coke, burger, southern fried chicken tender, buffalo wings, and garlic bread.
The problem was that the NSW-based doctor had never placed the order.
Just a few hours earlier, her phone had stopped receiving calls or texts and the signal had switched to “SOS Only” mode.
It turned out she was subjected to a SIM swap, where a scammer had remotely gained control of her phone by posing as her to her telecom provider and asking for an eSIM card.
This meant the cybercriminal could then break into all of their logins, including their bank, social media, email, and even grocery delivery accounts, by resetting a password and intercepting the text message.
Christine lost $200 after the hacker made a small wire transfer from her bank, but is certain that whatever information they were able to glean about her was sold on the dark web.
“The whole hack experience has made me feel very vulnerable and insecure, the whole fabric of who I am has been taken away,” the medic told news.com.au.
It comes as telecom watchdog has cracked down on telecom providers for allowing SIM swap scams.
Currently, some phone companies like Optus only require the customer’s full name, date of birth, phone number and address before authorizing a SIM swap.
Australia’s Communications and Media Authority (ACMA) announced new rules on Friday, warning that legal action would be taken against telecom companies if they were not followed.
Stream your news live and on-demand with Flash. From CNN International, Al Jazeera, Sky News, BBC World, CNBC and more. New to Flash? Try 1 month free. Offer ends October 31, 2022 >
Christine isn’t sure how the hackers obtained the amount of personal information needed to impersonate her, but she suspects an important letter was stolen from the mail.
She knew something was wrong when she started receiving messages from her telecom provider saying her contact details had been changed.
“I remember being on the phone when I got those text messages,” she said. “I figured I’d take care of it when I got home, which was a bad mistake.”
The doctor is usually on call for medical emergencies, and by a stroke of luck, she was soon put on leave as no patient’s life was endangered during the hack.
But it took her a full two weeks to deal with the carnage wrought by the hackers, so she couldn’t take a family vacation.
Her friend called her number and spoke briefly to a woman on the other end before being transferred to a man who hung up. At the time, the friend was confused, but later realized they had spoken directly to the hackers.
Christine’s phone company also told her that a woman had called pretending to be her and was requesting an eSIM card.
“I know they are real people. These people who did this are not nice people,” she said.
In another disturbing twist, she added: “A number of SIM cards have been delivered to my home address.
“I suppose her [the hackers] had requested additional SIM cards. They might have stopped in front of my apartment to pick it up.”
She suspects the same for the food delivery order.
“I’m worried now, that’s going to worry me for the next five or ten years. I’m afraid,” Christine said.
“It’s actually pretty profound. We live in a world where you are your cell phone number, you are your Medicare number, that’s something really personal, it’s quite disturbing.”
To make things even more frustrating, Christine knows it would be easy to catch the hackers who have made her life a misery.
“When I got access to my email, I could see the IP address [they used],” she explained.
“The location is available on my phone bill. We have the suburb where this is happening, their names, it should be possible to find these people.”
However, police refused to take a victim’s statement from her and instead reported her to the Australian Cyber Security Center (ACSC), which has no special enforcement powers.
Christine isn’t the only healthcare professional whose life has been turned upside down by SIM swap hackers.
Ally*, a NSW health worker, has been compromised since May last year after cybercriminals swapped her SIM card for an eSIM.
This was particularly problematic for her as a healthcare worker who needed constant access to her immunization record when immunization regulations went into effect following the delta rise in Covid-19.
“I’ve spent numerous phones, two SIM cards and $880 on professional IT support to no avail,” Ally told news.com.au.
“My SIM cards were purchased through Telstra. I wasn’t refunded anyway as they said the fault was with the iPhone.
“I tried two iPhones, sold these and am now having similar issues with a Samsung phone.
“I issued a credit freeze when I realized my emails and alert notifications were intercepted.”
She even noticed that a small $20 direct debit had been sent to the Canadian government.
“My phone keeps locking my account saying I entered the wrong passcode. I have to reset it very often and this has resulted in my apps, contacts, email and photos being completely erased,” she added.
“Keeping an eye on my finances has become a challenge.”
On Friday, the ACMA said phone companies will require stricter customer identity checks for “high-risk transactions” like SIM swaps or account changes.
The new requirements, called Telecommunications Service Provider (Customer Identity Authentication) Determination 2022, will go into effect at the end of June.
Under the new guidelines, the ACMA can penalize telecom companies that break the rules, including by taking them to court.
On average, an Australian SIM swap victim loses a whopping $28,000 to hackers, according to ACMA.
Earlier this year, news.com.au reported on a family in Sydney who lost $37,000 to a sophisticated SIM swap hack.
And news.com.au knows of one person who lost $52,000 and another who had millions in credit card debt in her name.
“SIM swap scams can be very damaging as scammers take control of your phone number and then use it to gain access to your online banking accounts,” said ACMA Scam Taskforce Chair Fiona Cameron.
“These new rules require multi-factor authentication of your identity, e.g. B. Confirming personal information and responding with a unique code consistent with how other essential services such as banking work.
“We anticipate these rules will go a long way in weeding out unauthorized transactions like SIM swap fraud and improving security for telecom customers.”
*Names withheld for privacy reasons
Do you have a similar story? Continue the conversation | email@example.com | @AlexTurnerCohen