Optus has copped an $826,000 fine after scammers exploited a vulnerability in a third-party identity verification system it used, allowing them to steal phone numbers and access users’ bank accounts.
The incident targeted customers of Coles Mobile, which has a mobile virtual network operator (MVNO) agreement with Optus to use parts of its 4G and 5G network.
The Australian Communications and Media Authority (ACMA) said the vulnerability “enabled scammers to bypass parts of the required verification process” for mobile number porting.
The scammers were then able to “gain control of at least four consumers’ mobile services, and access their bank accounts, resulting in reported losses of $39,000.”
ACMA declined to go into detail about the vulnerability in its public report [pdf] but said it leant on the likes of the Australian Cyber Security Centre, Australian Financial Crimes Exchange and the Australian Competition and Consumer Commission – which runs a scam reporting system – for the investigation.
“While this was a one-off issue which was quickly remediated, it is inexcusable for any telco not to have robust customer ID verification systems in place, let alone Australia’s second largest provider,” ACMA member Samantha Yorke said.
“Scammers are always looking for any weaknesses in systems, and on this occasion Optus left a vulnerability which directly exposed people to harm.”
The $826,000 penalty is the maximum ACMA can levy against a carrier for a breach of this kind.
“Consumers should contact their telco and financial institution immediately if they think they have been a victim of a phone scam,” the ACMA advised.