Go to Top

Mobile Phone Porting Fraud: The Risk Goes Far Beyond Consumers

Businesses are increasingly targeted by phone porting scams

Senior Man Giving Credit Card Details On The PhoneMuch has been written and reported about the risk of mobile phone “Porting” and related financial scams against consumers.  A 90 year old grandfather, for example, recently had his identity stolen by a fraudulent caller that advised the old man that she was conducting a “phone interview.”  When the grandfather gladly offered his personal information over the phone to the scammer, the fraudster was able to steal his mobile phone number, access his credit card, and rack-up fraudulent charges totaling more than $14,000. [1]

In a similar case, a Telstra customer was lifted of nearly $20,000 by a criminal that was able to obtain the victim’s personal information by scamming the mobile carrier into disclosing the information.  This crime was also perpetrated via an old fashioned telephone pretext call.  [2]

The Cellular Telecommunications Industry Association (CTIA) estimates financial losses due to mobile device cloning fraud in the United States are between $600 Million and $900 Million. [3]  We are learning more, however, about more sophisticated porting threats to businesses, and how those threats can pose significant financial risks to company assets. [4]

Increased Exposure
The numbers don’t lie.  There are currently more mobile devices on the planet than people, and these numbers are rapidly increasing.  Mobile devices out-shipped PCs worldwide for the first time in 2014, and analysts predict over 12 Billion mobile devices will be in use within the next three years.  These statistics offer a reminder that businesses and their attorneys must get a handle on the business risks associated with the new way we are computing.

“Mobile devices out-shipped PCs for the first time in 2014”

Internet crime and electronic banking securityA Case Study
To illustrate this “Porting as a risk” trend, a recent case study is offered.  While some of the details, including our client’s name, have been altered to protect the privacy of the business, the essential facts are intact.  This is an actual data breach matter that our firm handled.  Our client, LostYur Securities, a mid-sized securities trading company, contacted us through their attorneys who indicated that LostYur’s bank account had been pilfered of a sizable amount of cash by an unknown outside individual.  Our client’s bank reported that the offender had contacted them, using a mobile phone number recognized by the bank as a legitimate LostYur employee phone, and was able to spoof the bank into transferring money to an off-shore account.
How does this happen?
It’s called “Porting,” and authorities claim it is costing businesses and consumers hundreds of millions of dollars in annual fraud.  In the case of our client, an unknown “bad guy” was able to hack into a LostYur accounting executive’s work computer and pilfer some of her personal information, (mobile phone number, carrier, account number, name of business bank, etc.).  Then, the fraudster contacted the mobile phone service provider and requested that the victim’s phone number be “Ported” to a pre-paid disposable mobile phone.  The hacker most likely purchased the phone with cash to avoid a credit card audit trail.  Because he was able to answer the security questions with personal information he had stolen from the victim’s computer, the criminal successfully ported the device.

Armed with the victim’s mobile phone number on a fresh phone, the criminal called LostYur’s bank and requested that funds be transferred to an off-shore account.  The bank, using two factor authentication, sent a security text to the mobile phone on record, (which the thief received), and the illegitimate transfer was authorized by the bank.  In the meantime, the LostYur employee, noticed that her mobile phone was no longer working and contacted her carrier…but it was too late, and the fraud had already occurred.

This fraud technique is particularly effective since the authorization for the transaction is often accomplished by the bank sending a confirmation text message to the very mobile phone that has been ported, which essentially allows the criminal to “authorize” the fraud by responding to the bank’s confirmation message received on the newly ported device.  Sneaky.

Forensic Analysis Proves Hack
LostYur’s bank was able to verify that the offender contacted the bank via the LostYur executive’s mobile phone number.  Based on this information, a forensics exam was conducted on the employee’s work computer, where evidence was discovered which proved the employee’s computer had been attacked with Dridex malware.  Dridex, a relatively unsophisticated malware typically launched from China or a few other countries, is delivered in the form of a macro, buried in a Microsoft Word document in a spam email message.  If the recipient opens the attachment, Dridex jumps into action when the computer user visits any online banking website.  Dridex then steals the user’s banking credentials and forwards them to the hacker. [5]

A Disturbing Trend
This attack vector is not new, but the stakes are getting higher as more and more businesses, and their employees, are conducting their computing on mobile devices and tablets. Recent cases have included a small business owner in Melbourne who was defrauded out of $45,000 by a porting scheme. [6]

“Recycled” Phones Also Pose a Risk
Mobile phones in trash can isolated on white background. UtilizaAs an anecdotal confirmation of the phone porting / cloning exposure to businesses, my firm has witnessed a serious risk involving “recycled” phones containing very personal user information.  We purchase hundreds of used and “recycled” mobile devices from various online retailers annually that we use as training devices.  These phones have typically been turned-in to cell phone retailers or recycling shops by their owners when they purchase new phones.  Most of the devices, with cracked screens or other damage, do not work, and our computer forensics examiners practice their forensic skills on these phones.  Over the years we have observed that many of these devices contain sensitive personal information about the user, including in some cases, photos, passwords, “deleted” text messages, and financial information about the owner and their businesses.  This personal information could be used to perpetrate identity fraud, or to potentially hack into the user’s corporate networks or bank accounts. The previous owners of these phones are unaware that this data still exists on their old “broken” phone.

Prevention
For businesses that allow employees to bring their own mobile devices into the workplace, companies should consider a BYOD Mobile Device Management (MDM) solution.  MDM software provides centralization of device security, and helps mitigate porting and other security breaches.  MDM can also be applied within companies that issue company owned phones to their employees.

And since “human error” is often the root cause of a breach, companies must offer information security training to their employees, reminding them of some of the most popular scams, including social engineering, Spam threats, and public Wi-Fi exposures.

Finally, companies should have a well crafted mobile device usage policy, and employees should sign off on this policy annually.
For individuals, security precautions include:

  • Using strong passwords
  • Making sure your mobile phone service account utilizes a password and security questions
  • Keeping your anti-virus and security software up to date.
  • Avoiding use of public Wi-Fi.
  • Never opening suspected Spam messages or attachments.
  • Before installing an app, read and understand the terms and be aware of what data the app is storing.
  • Securely wiping the data from your old phones before recycling the
[1] “2 Investigators:  Fraudsters Can Steal Your Phone Number – And More- Through “Porting”.  By Pam Zekman, CBS News.  July 30, 2015.  chicago.sbslocal.com/2015/07/30/2
[2]  “Customer Scammed $20,000 after Telstra Representative Gives Out Personal Details.”  Charlotte Willis, www.news.com.au.  June 30, 2015
[3] “Emerging Areas of Mobile Fraud.”  www.idology.com/blog/emerging_areas_of_mobile_fraud.
[4] “More mobile devices in the world than people – how many do you have.”  Mobile/Responsive News, August 24, 2015.
[5]  “The API Management Playbook”, ComputerWorld.com, by Jeremy Kirk.  November 5, 2014
[6]  “Mobile Phone Porting:  New Type of Scam to Look Out For.”  www.bankwest.com.au.  12 Feb 2013

, , , , , , , , , , , ,

About Jeff Hartman

Jeff is a 30 year veteran of the corporate security, computer forensics, and eDiscovery community and a co-founder and partner at 4Discovery. 4Discovery is a leading provider of computer incident response and computer forensics services to attorneys, corporate security executives, and the information protection community.