How Telstra gave my details to crypto scammers
By Paul Clitheroe
At 11.42 am on a pleasant Monday, hackers gained access to my Telstra account.
They instantly removed my email address and mobile number, and added theirs to my account. This removed my opportunity to get the standard SMS or email from Telstra, warning of "account changes" - instead, this was sent to the crooks.
Having control over my account gave them access to all my emails. They started trawling over these, seeking personal information, banking and credit card details, and searching for any opportunities to defraud me, my family, friends and colleagues.
With the "account change" warning going to the scammers, not me, the first clue that something was amiss was an "account error" warning when I tried to send an email. We've all seen these, and I figured there was a poor connection to our wifi, as the error message said "no connection to the server".
This was my first mistake - the failure to act quickly.
Fortunately though, I was saved by a phone call. A financial services company phoned to ask about our instructions to sell $35,000 of shares we hold and to purchase Bitcoin. This woke me from my relaxed Monday morning!
Our advisor sent me the email they had received. I was really concerned.
The crooks had used our personal information to construct a very convincing email. It read like it was from us.
Obviously it did not succeed because of the two-factor authentification used by any reputable financial services company. In this case, they will also not do a transfer without verbal confirmation, a third security factor.
My heart rate was still very high though. Think about what your email inbox and sent items contain. It will be a whole stack of personal, business and financial information. What were the crooks planning next?
Stopping a scam in action
Breathing deeply, I remembered the lessons of scams and fraud I have written about for decades.
First up, I had to regain control of my Telstra account to stop the bleeding.
I tried calling the customer line. A recorded message said, "extensive delays, go to the Telstra app". I tried calling the fraud line - same message.
As the crooks had applied their password, I had no access to my account.
I needed to take urgent action. So, I cancelled all my appointments and raced to a Telstra store with phone bills and proof of ID.
A staff member checked my ID, opened my account and provided me with a new password. They helped me to remove the crooks' phone number, and reinstall my mobile as my contact number.
I felt things were looking up. Wrong.
The scam isn't over
I raced home and started contacting my banks and financial services providers. A couple of hours later all our accounts are frozen. I was starting to breathe a little more calmly and my heart rate was down.
But hang on - I could send emails but not receive them.
I thought this was just a Telstra glitch that would soon be sorted now my new password had been installed. Wrong again. I have quite a few services from Telstra - mobile phone, internet, Foxtel and a couple of prepaid SMS cards.
When I downloaded the Telstra app some time ago, I remembered the number of services I was paying for gave me "gold customer service". The Telstra phones still had "extensive queues", so I opened an online chat with a Telstra representative.
Then I nearly had a heart attack. The last chat regarding my account, a few hours earlier, was between Telstra customer service and the crooks!
11.39 am - Crooks: "I have several emails" (sic)
11.39 am - Telstra: "What email account your trying to get the passwords?" (sic)
11.39 am - Crooks: supply my email.
11.42 am - Telstra "Here's the temporary password" (to my account)
The scammers immediately left the chat to take over my account with the replacement password provided.
I do not need to point out the complete, absolute, breach of even the most basic security.
From here my Telstra chat goes on, with pauses as I talk to banks and credit card providers, plus two more visits to Telstra stores. This continues until finally, a breakthrough some 32 hours later at 7.24 pm on Tuesday night.
Blamed for being scammed
Telstra, like many institutions, seems to work on a cascading urgency system. So you start with representatives who may be quite junior, or quite frankly, know next to nothing.
I'd need quite a few pages to go over the entire chat transcript, but I was pretty sure that escalation to a more senior person would happen as I used certain key words. Wrong again.
I requested to be passed to a supervisor. That was ignored, as was my description of the fraud.
Stating the obvious, that Telstra had given a replacement password with no customer verification, was also ignored.
One representative suggested I must have provided my Telstra ID to the crooks.
So I just plugged away, repeatedly asking why I could not get emails.
A clear breach
Some 32 hours after the crooks got control of my account, I was transferred on Tuesday evening to a Telstra representative in the Townsville team. He was fantastic. No more nonsense about it being my fault.
Telstra, he agreed, had, very clearly, breached their verification process. He went into my account and instantly found the problem. The crooks had put their email in the "forward email" setting.
No wonder I was getting no emails. Even though I had control of my account, emails were redirected to them allowing them to follow my attempts to control the fraud. He noted the email address they were using and passed this to the Telstra fraud team.
I will keep the next steps to the bare minimum and move on to tips on how you can protect yourself, and the actions you should take. But the Telstra fraud team rang me and followed up with an email. This gave me a contact I could speak to directly.
Protecting customers
As I felt it valuable for all Money followers to read about this, I emailed the Telstra media team seeking to understand more about customer protection. This led to further emails and an opportunity to speak to a senior Telstra executive.
She was very straight with me, explaining how the breach of customer verification occurred and the actions taken, and wanted a complete conversation about my experience to assist with steps to more broadly protect all customers.
I was also able to pass on two colleagues who had very similar issues leading to fraud and in one case, very serious identity theft.
I reported this fraud to the Telecommunications Ombudsman. A combination of this complaint and my direct complaint to Telstra led to an offer of compensation, with no fees on my account for a period of time.
I was pleased to see how the customer compensation scheme worked, and the offer was fair.
However, I do not want compensation apart from better security for all of us. (Unless the breach of my security by Telstra leads to the total theft of my identity - in that case I will need all the help I can get.)
What I want is an explanation of how this happened - a password reset by a crook with no verification or ID - and if it's likely to happen again.
'Inexcusable'
Telstra has thousands of customer-facing staff. I accept mistakes will happen.
But how can these be minimised? How can we customers be safer? How can we report fraud very quickly and have it acted on? Finally, what access do impacted customers have to assistance and compensation?
Here I will give Telstra some credit.
The handing of a replacement password to a crook with no ID verification is inexcusable. Telstra accepts that.
It also took me far too long to get to a Telstra employee who could help me stop the fraud. But once my persistence elevated the fraud to a more senior level, the help and explanations have been open and frank. But goodness, it took far too long to get there.
Cautiously moving forward
We have cautiously lifted the freeze on our bank accounts, but they are flagged for all transactions.
I am using one existing credit card which I can freeze and unfreeze securely on an app. It also sends an instant SMS for every transaction, so I am now only checking the card, when it is unlocked, from a few times an hour to a few times a day. I am monitoring my Telstra account very regularly.
Telstra has worked hard to resolve the error. My account has been flagged and I have been notified if anyone opens my app or directly contacts Telstra. Recently, I received a message saying Telstra had frozen my account over my app being opened, in fact, it was my app updating, but given the recent fraud, this level of security made sense.
One thing I did learn may help many of us. Our ultimate security is our "secret" pin. By approaching Telstra through the telco's app, a high-security transaction such as a password reset, will require a customer to enter their secret pin. By contrast, a direct approach to Telstra will (or should) result in you being asked the usual verification questions, but also being sent a six-digit code to your registered email or SMS.
My discussions with Telstra also answered more of my questions. I have a very strong bias towards a secret pin, not known to the telco or anyone but us. So I'll be using the app. But Telstra tells me it is also introducing an account lock. This was a ripper with one of my credit cards, I could instantly freeze it on their app. Instantly freezing my Telstra account would have helped me enormously.
The telco is also bringing in a digital ID scanning product, which I presume will allow facial recognition.
The crooks will know enough from my emails to have a crack at identity fraud. But I am hoping I have moved quickly enough to make access to our money, credit cards and information to apply for loans in our names pretty hard. Mind you, I am monitoring my credit report daily and will be for a very long period of time.
The starting point for this fiasco was not of my making, it was Telstra's error. All institutions are cranking up their security, in particular around customer verification, and so they must. But I have learnt a lot about what I should be doing to protect myself. Here are my key tips.
How to spot a telco scam
1. You cannot get phone calls, SMS or emails.
2. Your email system says "account error".
3. You can't access your telco account with your password.
4. A service provider rings to say they are getting requests for fund transfers. Remember - if anyone emails you, the crook may get that, not you
5. A family member or anyone in your email list says they have had an email asking for money to be transferred, or other strange emails from you.
If any of these happen, do not walk, run to your Telco store with full ID.
Stopping the scam
1. Regain control of your account by presenting full ID to your telco and regain control of your account with a new password
2. Check your emails are sending and receiving by emailing yourself a test.
3. Check that your phone and email have not be set to "call forwarded" or "email forwarded"
4. Check your "sent" emails. You may find emails the crooks have sent.
5. Check all your credit cards. With some you can do a temporary freeze in their app.
6. If the crooks have discovered any credit card information in your emails (you may have sent credit card details by email to make a purchase) cancelling the card and getting a new one is the safest course of action
7. Alert your bank. If any attempted fraud is taking, freezing your accounts is necessary
8. Advise any other financial service providers, such as an advisory firm or broker.
What's next
1. As the initial panic passes, you have control of your telco account and taken the steps above, you need to have a frank conversation with your telco provider. This will probably be a slow and painful process to speak to someone who understands what has happened. Someone in the Fraud Team would be best.
2. If like me, this takes some time, lodge a complaint with the Telecommunications Ombudsman. They will ensure the telco responds to your complaint.
3. When your telco gets in touch, make sure you state that part of your compliant is more secure customer verification in future. This helps all Telco customers
4. Demand compensation. This should reflect the time you have had to put into getting your fraud stopped, any losses, your costs, loss of salary and the stress this causes. Fraud is a low cost item for a telco. The truth is we bear the risk, costs and time to fix their errors. Customer compensation will elevate the seriousness of fraud to telcos
5. Don't be shy. Telcos value their reputation. Tell your family, friends, work colleagues about your fraud and what caused it. This herd behaviour also protects all of us in the herd. The more we hear about fraud from people we trust, the more action we and institutions take. This leads to better security for all of us.
6. Bad things can still happen to us as the crooks go over our emails they have downloaded. Be prepared for potential identity theft.
Preventing identity theft
My colleague Ron Hodge, CEO of InvestSMART, was also impacted by a Telstra customer verification failure. He is a lot more tech-savvy than me and put me onto these very valuable resources to help with where the crooks may go next with my personal data, identity theft.
You should contact IDCare, a not-for-profit that Ron tells me was "amazing and very helpful". You can lodge official reports with these organisations
- Report | Cyber.gov.au
- IDCARE Official Website | Identity Theft & Cyber Support
- Help for identity theft | Australian Taxation Office (ato.gov.au)
Hodge also had other tips.
"If you think the hackers have access to copies or physical identification documents such as passport, driver's licence, and Medicare card you should look to cancel and renew these documents. It is very hard to cancel driver's Licence but canceling and reissuing my passport and Medicare card was very easy.
"Place a ban on your credit report with all credit agencies so hackers cannot apply for new credit cards in your name. Equifax was the best, who also reported to other credit agencies and I also signed up to their ID Basic plan of $4.95 per month to alert me of anyone who attempts to use my details to apply for any sort of credit in Australia and elsewhere."
If you suffer a basic breach of security by a telco, this is the path you have to go down.
It is hugely time-intensive, which can impact your job and your life. It is also highly stressful.
We consumers deserve and need to demand better. The very obvious solution is right back at the start. A telco needs to recognise that something as critical as a 'password replacement' is a very high-risk transaction.
Sure, we consumers also need to play our part and insist on two- or three-factor identification for these high-risk transactions. And it needs to be real verification.
As with our banks, one of the strongest parts of verification is the secret pin or password that is known only to us. Fraud is best stopped before it begins once a telco opens a door to our emails and mobile phones to crooks, the horse has bolted.
Get stories like this in our newsletters.