A devastated nurse has been left penniless and will have to change his name after sneaky ‘simjacking’ hackers stole almost everything – including his identity.
Ruthless thieves managed to con Optus staff into giving them total access to Sydney man Mark Donnelly’s phone number which let them reset passwords on all his bank accounts.
Within a matter of minutes, they had drained $34,000 out of his savings and credit cards and transferred it into untraceable cryptocurrency.
The hack also allowed them to access his emails and personal documents including vital identity papers like passport, driving licence and birth certificate details.
Devastated nurse Mark Donnelly (pictured) was left penniless and will have to change his name after sneaky simjacker hackers stole almost everything – including his identity
Now he’s had to block credit agencies from granting any loans in his name while he changes his name and rebuilds his life and his identity.
‘It’s absolutely terrifying,’ he told Daily Mail Australia. ‘They’ve taken everything – and is shocking how easy it was for them to do it.’
Mr Donnelly, 46, from Blacktown in Sydney’s west, woke up a fortnight ago to find his iPhone 12 suddenly had no mobile connection and was only allowing SOS access.
He quickly contacted Optus who gave him a new sim card for the phone which immediately fixed the problem, foiling the first attempt to hack him.
Within minutes, hackers had stolen $34,000 from Mark Donnelly (pictured) out of his savings and credit cards and transferred it into untraceable cryptocurrency.
The ruthless thieves managed to con Optus staff into giving them total access to Mark Donnelly’s phone number which let them reset passwords on all his bank accounts.
WHAT IS SIMJACKING?
Simjacking is when hackers pose as a customer to get a telephone company to either give them a replacement sim card or an esim – a virtual sim card activated online – for the customer’s number.
A few basic details like name, email address, home address and date of birth are often all that’s needed to get the duplicate sim card.
Those details are often available online from hacked databases of large corporations like Facebook or Adobe.
Hackers can also open a new phone plan with another telco and pretend the victim’s number is theirs and ask the telco to transfer or ‘port’ it to their new plan.
Once hackers have access to the phone number, they can then use that to exploit a weakness in online security checks.
Hackers can reset passwords on bank accounts by requesting two factor authentication using SMS text messages.
Banks then simply send a passcode by SMS text message to the customer’s mobile phone number on file – which now goes straight to the hacker using the duplicate sim.
The hacker can then reset the password on bank accounts to access them – and then transfer money anywhere.
Two days later though he had exactly the same problem – but this time Optus store staff told him it was an issue with his phone and referred him to Apple for a repair.
Unknown to Mr Donnelly though, the simjackers had posed as him online to Optus and demanded they issue an esim in his number.
Many modern phones no longer need physical sim cards and can use a virtual esim which gives any suitable phone full access to the mobile phone number.
While Mr Donnelly was trying to fix his problem, the hackers were busy using the phone number to access his bank accounts and resetting his passwords by two-factor SMS authentication.
Banks use the mobile phone number they have on record to confirm a user’s identity and sends a passcode to the phone which then allows passwords to be changed.
Within minutes, Mr Donnelly’s savings and cheque accounts had been emptied into cryptocurrency where they were spirited away to an untraceable account.
The hackers had even used the phone number to access ANZ’s Shield app – designed to protect customers – to allow them to transfer large sums out of the account.
By the time his partner realised they had been robbed, it was already too late.
It then took hours on hold trying to talk to three different banks and Optus to shut down accounts before the hackers did even more damage.
‘The hackers were trying to extend my ZipPay credit to $10,000 but luckily they realised something was wrong and locked the account,’ said Mr Donnelly, an operating theatre nurse at Westmead Hospital.
‘I was on hold to ANZ Bank for an hour and half trying to speak to someone and my adrenaline was just going through the roof. I just needed to speak to someone but couldn’t get through to them.
‘It was just sheer panic. I was like, “Oh my god, where’s all my money gone?” They put a freeze on all my accounts but then I had absolutely no access to money at all.’
While Mark Donnelly (pictured at work as a nurse) was trying to fix his problem, hackers were busy using the phone number to access his bank accounts and resetting his passwords
The hackers had even used the phone number to access ANZ’s Shield app – designed to protect bank customers – to allow them to transfer large sums out of the account
With all his accounts finally locked, he and his partner were left with just $200 to live on while they battled to unravel the damage.
A check on a website f-secure.com revealed enough of his personal details had been exposed online in hack attacks on company databases for hackers to pretend to be him online to Optus, and get the vital esim to clone his phone.
‘It was a real eye opener to how unsafe you are these days,’ he said. ‘I’d done nothing wrong. No-one had accessed my phone – I’ve got a passcode and Face ID on it.
‘It’s made me realise just how much information about customers companies are leaking in hacks. No-one seems to know about this or how devastating it can be.’
Mark Donnelly (pictured) and his partner were left with just $200 to live on while they battled to unravel the damage caused by the simjackers
He had to take days off work to try to fix the problem and says while almost all the money has since been refunded, Christmas has been ruined.
‘It’s just the stress of something like this,’ he said. ‘Christmas is over.’
Mr Donnelly is now changing his name to stop any more damage being done and has blocked loan applications in his current name.
He’s having to change his email address and all passwords and has ordered Optus to refuse any esim or phone number porting requests unless he is physically in a store with photo ID.
And he’s even considering hoarding his savings in cash under his mattress to keep it safe in future.
‘Now I’m questioning if I keep the money in the bank,’ he admitted. ‘Should I keep on saving? Should I have a bank account where you’re only allowed to withdraw with two signatures and have to be in the bank?
‘Some older people keep their cash under the mattress because they doesn’t trust banks…maybe they’ve got a point!’
Mark Donnelly (pictured) is now changing his name to stop any more damage being done and has blocked loan applications in his current name
He added: ‘I just hope that publicising this helps save even just one person from going through what I have.
‘It’s an absolute nightmare how easily you can lose everything without doing anything wrong. I’m going to have to change my name to protect myself now.’
An Optus spokesman said the hackers had used Mr Donnelly’s personal details to pretend to be him online to get access to his account.
‘An individual posing as the customer was able to access the Optus profile and change the contact details for the account,’ said a spokesman.
‘[They proceeded] to activate a new prepaid plan using the customers personal information (which all matched what Optus had on file.)’
Optus added: ‘Unfortunately identity theft continues to be an issue for many Australians.
‘We encourage customers to regularly change their passwords, not re-use passwords and aim to keep their personal information secure.’
HOW TO STOP SIMJACKING HAPPENING TO YOU
Ask your telco to clearly stipulate on your account that no-one is allowed to request an esim or port your mobile phone number unless you are in the store in person with photo ID.
Wherever possible, use an online authenticator app like Google, Microsoft or Facebook Authenticator rather than text message-based SMS Two Factor Authentication where a passcode is texted to your phone number.
If you lose access to your mobile phone service, contact your telco and your banks immediately.
Check for free on f-secure.com to see if your details have leaked online by hacks on company databases.
Check free websites online to see if your details have been hacked in attacks on big corporations
Also check haveibeenpwned.com for more possible hacks.
If your details show up, consider changing your phone number and email address.
If possible, use a different email address for each online account.
You don’t always have to tell company’s your real mobile phone number or your address when filling out online forms.
Use a password manager app to keep track of multiple passwords, although that would not have made any difference in this case.