/ Technology

How can we prevent mobile phone fraud?

Which? hired experts Pen Test Partners to test the security of the websites of the four major mobile phone providers. In this guest post Ken Munro, from the company, explains the test and what they found.

With some top-end smartphones costing nearly £800 to buy outright, and a typical contract costing around £700 over two years, it’s no wonder mobile phone fraud is a serious issue. Nearly 10,000 cases of mobile phone-related identity theft were recorded in 2014.

This type of identity theft occurs when fraudsters take out a phone, pay-as-you-go Sim card or contract in your name, using your personal details. This gives ID thieves access to free minutes, texts and data, as well as a free handset they can sell on for hundreds of pounds.

Pen Test Partners was hired by Which? to assess how secure the websites of the four major phone providers’ were against identity fraudsters. As fraudsters usually work via the internet, we wanted to see how easy it is to hijack an account.

We found most providers could do a lot more to protect customers, and are struggling to strike the right balance between a user-friendly website and one with the necessary security measures.

Convenience vs security

All of us love convenience – and the websites of phone providers are designed to be hassle-free to log into. However, this can be troublesome when you factor in security. As much as you love convenience, so does the fraudster.

When a fraud does occur, providers will cover the costs you have, but not necessarily fix the underlying insecurities that make the fraud possible.

Tougher identity fraud measures a small price to pay

Tougher security measures are a small price to pay when they’ll better protect your online phone account from being hacked. We’d like to see more stringent login pages that ask for selected characters from your password, and two-step verification.

Security questions must be trickier, too. Such measures are already offered by other online services, such as Facebook and Gmail. Bearing in mind that providers already know your phone number, two-step verification should be an easy factor to include.

Crooks would hate the hassle of improved protections against identity theft. Surely, that’s an idea we can all get behind?

In the meantime, the Which? tips below are a great way to help ensure that your personal information is safe.

Five top tips to stay safe from ID theft

1. Create a strong password with a mix of numbers, symbols and characters.
2. Set your social media profiles to private.
3. Enable two-step verification.
4. Install antivirus software on your PC.
5. Opt out of the open electoral register.

How do you remember your security passwords? Would you use a different password for every site? Are greater security checks a small price to pay for peace of mind, or are you frustrated by them?

wev says:
19 May 2015

When Yahoo’s email service was hacked a few years ago, they increased security in a way which left me locked out forever from my personal email account.

Having strong security is good, but not good if it keeps your customers out.

And Ken, since you’re writing about phone security, can you please do a topic about which phones are the most secure from email and website viruses?

“This type of identity theft occurs when fraudsters take out a phone, pay-as-you-go Sim card or contract in your name, using your personal details” – How does a fraudster benefit from taking out a PAYG SIM card in someone else’s name? There is no credit facility, so I see no scope for a fraudulent gain.

In many countries, you can’t buy even a prepaid SIM card without showing a national ID card or passport. In contrast, in the UK you can get a contract SIM card with a large credit facility without any identity checks.

In the last two months my husband has been sent three letters from three different companies thanking him for joining their network (EE, Vodaphone and O2) We have received letters asking for money. We have contacted the companies and reported these letters to the Police and Actionfraud. Make sure you get a CAD number from the police to give to the relevant companies

The only company to write back to us and apologise and to report that it would not affect our credit score was O2.

The funny thing is that my husband doesn’t even have a mobile phone.

Dan says:
1 April 2022

It’s 2022 and they still haven’t done anything about it at all. It’s been happening to me this week. To open a bank account last week I had to take a video clip of my face and let the bank compare it to my passport to verify my identity. And that was a bank account I was depositing my savings into, not borrow from. Yet people can walk off with a £1000 iPhone in my name after minimal checks. It’s ludicrous.

Em says:
1 April 2022

There is a lot of discussion on other Which? forums about how easy it is for fruadsters to open bank accounts and steal money off their victims. There is also the problem of British banks being used to launder dirty money from the proceeds of other crimes. Only half of what you complain of is ludicous.