Re: Sim Swap Fraud

RonlWeasley · ‎11-07-2024

This perhaps deserves its own thread but EE's security measures (or lack thereof) are truly dire. Still no 2FA to login to your account, for example. In 2024 this is mind bogglingly abysmal.

Today I heard that other networks are introducing a "SIM lock" facility whereby in their app you can put on a SIM lock which prevents porting your number to a new device or to another network. Sounds like a brilliant idea to me which would eliminate SIM swap fraud. Of course you just switch off the lock if you want to change phone or leave the network, and switch it back on again when you have a new phone.

Where are EE with such a feature? Presumably nowhere since despite their claims otherwise, their inaction over 2FA, despite YEARS of complaining about it, clearly demonstrates they do not give a toss about their customers' security.

angryoap · ‎19-07-2024

I totally agree. I received various SMS messages from EE, offering upgrades, telling me there is work being carried out in the area but the one vital SMS containing a PAC code doesn't arrive. Can I get an answer from EE as to how this could happen? No! This gave the scammer a 16 hour head start. Had I received that SMS at the time EE claim it was sent to my phone I would have been in a position to stop the sim swap going ahead. Also, I do not think the SMS sent to the account holder's phone when a scammer calls is sufficient to cause immediate concern as it simply says something to the effect "please call EE if you are not speaking to an adviser. It would be a good idea check with family or friends who may have access to your account before calling'. If someone is trying to access your account and is not in possession of either phone on the account (I had 2 phones on my account - mine and my husband's) red lights should be flashing and urgent warnings sent to the account holder. I did respond to such a message within 5 minutes and it was noted on my account that there was concern someone was trying to access my account yet half an hour later the scammer rang again and was given a PAC code over the phone!

Anyone that thinks SMS 2FA is reliable obviously hasn't found themselves in the nightmare that is sim swap fraud.

RobF2 · ‎03-08-2024

How do I make a formal complaint to EE?

I two have fallen victim to sim swap fraud thanks to EE.

Someone got through the basic security check, changed my address and ordered themself a new sim.

I got the text from EE telling me that is just passed the security check so I called customer services to investigate.

I was told a new sim had been sent to ‘my new address’ so I asked for that sim to be stopped and a new one sent to my proper address.

The next day the fraudster received the sim, which hadn’t been stopped, and used my number to hack my email then credit card accounts because they use text messages to issue links to recover lost passwords.

EE say they’re unable or tell me what texts have been sent to my number to attack my accounts so I have no idea how bad the damage is.

If EE had blocked the sim as requested the hackers would have gotten nowhere.

This is unacceptable behaviour from EE.

When I queried how the hacker changed my address I was told they only had to answer two letters from my password and no 2FA.

From experience, I know you can get the letters wrong two or three times on each phone call to EE then remember correctly and still get through so this is all ridiculous.

Katie_B · ‎04-08-2024

Hi @RobF2.

Welcome to the community.

I am very sorry to hear this has happened.

Since reporting this has this been sent to our fraud team for investigation? if not please get back in touch so the relevant department can take a further look at this.

Has the SIM now been blocked?

Should you wish to make a complaint about this, our complaints form can be found HERE.

Once completed a member of our complaints team will be in touch.

Katie

RobF2 · ‎04-08-2024

Hi Katie,

This was apparently sent to the fraud team on Thursday night and I was told
the sim was to be stopped.

On Friday at about 9am it looks like the sim was received by the thief and
they then used the sim to completely mess up so many things.

First they used the phone to recover my google email.

I had specified my phone as my password recovery method for several
different accounts and they were all compromised thanks to EE.

Once i worked out that EE hadn't stopped the sim card and that it was being
used for fraud i phone up customer services to have it stopped.

I was told they couldn't stop the sim over the phone because someone had
changed the security credentials (not me) so i had to take the time out of
work to drive to the mall after going home to get my drivers licence for ID.

I get the the EE shop and get a new sim in my phone.

Next day my phone goes offline again and someone uses my number to change
my credit card address and order themselves a new card.

I had to take the day off work on Friday and also spent half of
saturday clearing up this mess that should never had happened but because

a) EE change my address and send a new sim off the back of two letters from
one password only. Is it not suspicious that an address change and new sim
request is done in one phone call?

b) despite asking in plenty of time, EE didn't block the new sim so gave a
thief 3.5hours of play time with my phone number.

so i'm down a days wages because EE security isn't up to modern standards
... and i still haven't finished repairing all the damge

thanks EE

Katie_B · ‎04-08-2024

Thanks for getting back to me @RobF2.

Once our fraud team has looked into this you will be contacted and hopefully some information regarding this can be provided.

I'd recommend allowing them the timescale provided to complete their investigation.

If you could keep me updated on the outcome that would be great.

Again, I am very sorry to hear this has happened.

Katie

NW69 · ‎04-08-2024

When will EE wake up and tighten up its security ? This is happening way too frequently! How hard can it be for EE to get its security procedures right ?

After all these incidents, the EE fraud team must have insight into what’s happening, where the flaws are and how to tighten things up. It’s actually starting to look like persistent negligence or an ‘inside job’ - and EE are certainly not taking the due care with personal data that UK-GDPR law requires them to take.

nw69

angryoap · ‎04-08-2024

Hi RobF2, I would like to say that I am shocked that this is still happening at EE but I am not. I don't know if you've read what happened to me but a scammer called, not in possession of the phone on the account, and asked for a PAC code. The EE agent said they would have to send a message to the actual phone on the account with a code, to which the scammer said they would go and sort this out. I received the message asking if I was speaking to EE which I wasn't so I rang them within about 5 minutes. There is a note on the account of my calling and expressing concern that someone may be trying to access my account, yet about 30 minutes later the scammer calls again. You'd think the first thing they would be asking the scammer would be did you manage to get the code, if not, why not? No, EE act as though I had not called at all and this time they issue a PAC code over the phone. It's just unbelievable. I wasn't notified a PAC code had been issued until 18 hours later so it was impossible to stop the sim swap going ahead. I was told later by a member of their fraud team that that is what scammers do, they just keep calling until they get what they want so EE was well aware of this at the time and should have refused to even speak to anyone who was not in possession of the phone listed on the account. For about 5 months after it was like playing whack-a-mole, every time I sorted one problem out another arose, they took over my email address were doing credit checks in my name, ordering £600 play stations to name but a few. EE couldn't have cared less, just offered me £50 and when I turned it down, sent me a deadlock letter. I really think people should get together and take a group action against EE. It's absolutely criminal in my view that when the actual account holder has called to say they think there may be suspicious activity on their account that EE goes ahead some 30 minutes later and issue a PAC code to a scammer.

I wish you good luck - you will need it believe me.

RonlWeasley · ‎06-08-2024

This is a truly awful story. Honestly I am sick and tired of hearing companies saying that they take their customers’ security extremely seriously and have robust processes in place, when the reality is way short of that. EE are by no means alone in this. I was considering a switch to another mobile operator, only to find they don’t even have 2FA for online account access.

It’s a sorry state of affairs. And depressing that the fraud you experienced would have so easily been prevented had some half-modern capabilities been made available. Simple “Prevent sim swaps” and “Prevent PAC codes” user controllable switches in the online account would have stopped this from happening. How hard would that be to implement? Could be done in a weekend if EE truly gave a toss.

i would contact the ombudsman, if you haven’t done already.

angryoap · ‎08-08-2024

Thank you RonlWeasley, if only EE showed so much compassion! Yes I'm pursuing every possible avenue.

RobF2 · ‎08-08-2024

Hi Katie,

Just to add to the ridiculousness of my situation .... EE have charged me £1.50 for the sim sent to the fraudster then another £1.50 for the replacement sim sent to me to regain control of my phone number.

Are they taking the **bleep**?

Rob