Highway
robbery?
That was a time in England when if you stepped outside you were likely to find
yourself the victim of an assortment of thugs, pickpockets, villains, highwaymen and ne’er do wells in general.
 |
| AI generated image of a ne'er do well |
Well to be honest the situation isn’t very much different today except now we
don’t have to step outside to get our purse strings cut. We live in a world
where we are constantly being pushed to increasingly live on-line; but a world
in which personal security must take second place to online convenience.
So while the government sponsored main stream media continue to gas light us to
be “scam aware” etc, the best advice they could give us is to cease
communication by email, stop purchasing on line completely and delete any contact
with social media. Restrict your online profile to an absolute minimum. This is
the only advice that can really protect your identity and, in turn, your
pocket.
I speak from experience. I was the victim of a fraudulent PAC request via my
mobile phone supplier, and while it hasn’t cost me anything (so far), the
experience does leave you scarred mentally and emotionally and wondering just
who you can trust.
Of course the answer to that is you can’t trust anyone. Putting social media
aside for a moment, even the simplest transaction these days requires you to
part with your personal data. Do you ever wonder why they need it? And if we
have to part with dob, post code and name for the flimsiest of reasons, why do
businesses think this is sensible information to use as proof of identity?
"Restrict your online profile to an absolute minimum. This is the only advice that can really protect your identity and, in turn, your pocket"
For me, my identity theft experience probably began with an online credit card
purchase where the information was leaked to a third party. I have no idea
which transaction this was. The first inkling I had that I was under attack was
via information from my email and energy suppliers.
At first, I didn’t put two and two together and took these as unrelated
activities. It wasn’t until two hours later when I received a PAC code from my
mobile phone supplier that I realised I was under attack. Remember what James
Bond said, “once happenchance, twice coincidence, three times enemy action”.
The PAC Process
Let’s talk about the PAC process. In terms of a balance between convenience and
security, this is a case where convenience is unfortunately winning hands down.
It is also an instance where the Ofcom has, in my
opinion, thrown common sense out the window. I appreciate it used to be a pain
switching from one network supplier to another, but Ofcom have now placed
such unrealistic expectations on the network suppliers that it is impossible
for them to double check for fraudulent requests if the guidelines are going to
be met.
In my case the fraudster took control of my email account to convince the
network provider that the request was valid, and I suspect used a utility bill,
taken from my energy supplier, to convince the second network supplier that the
transfer request was genuine. Obviously I’m not naming names here but I will
name the second network as Giffgaff as I found their attitude to possible fraud
extremely lax.
Alerted to the attack, I contacted my network provider, within two hours of
receiving notification that the PAC had been raised, to tell them that the
request could not genuine. There was a bit of toing and froing but in the end
they realised that the request they’d generated was fraudulent. The agent gave
me the story the fraudster had used to convince them to raise the PAC and told
me they would cancel the PAC. What they actually meant was that they would get
the PAC cancelled which is a totally different thing.
To be honest I’m not sure if you can cancel, or stop, a PAC once it is in
process. As I’ve already said the guidelines are very much written from the
perspective of the honest customer who wants to change supplier with scant
regard for stopping anyone who wants to use the process fraudulently. The
guidelines say the change has to be made in 24 hours, and once the PAC number
is in the hands of the receiver network there doesn’t appear to be any way to
simply stop the transfer taking place.
Knowing what I know now my next move should have been to remove my compromised
mobile number from all my accounts. Unfortunately, I believed that my network
provider had got the PAC stopped (as they had told me on the help line) and kept
using the number - an example of me sacrificing personal security for convenience. The end result was that 24 hours later the PAC went through,
the fraudster took control of my number and I’ve spent the rest of the year
trying to wrestle back control of my identity.
The energy supplier's story
I initially thought the fraudster gained access to details about my energy
account from my email account; but if the email provider’s story is to be
believed, they actually must have “chatted” their way in to my energy account.
You can work out for yourself how they knew which energy supplier I held my
account with.
We received a notification that our email address had been changed on our
energy account and immediately contacted them to say it wasn’t us. The agent
reset it straight away and when asked why it had been changed told us it was
probably due to the “migration” i.e. a system error. Luckily, he told us what
it had been changed to.
Later on I raised a complaint with the energy supplier on the grounds that a)
they’d allowed our account to be accessed by a third party and b) their agent
had misled us as to the reason why our details had been changed. I asked for a
transcript of the third party’s conversation with the agent so that I could
understand which parts of my identity they had. I felt that if I knew what they
had known to start with, I would have a better idea of where the initial identity
breach had taken place.
Unfortunately 5 months of endless emails and then taking my complaint to the
Energy Ombudsman didn’t yield an answer. The energy supplier has accepted they were culpable
and offered compensation but will not provide the transcripts as it would be a
breach of GDPR regulations to provide me with information regarding the
company’s conversation with a third party!
This has now been raised with the Information Commissioner’s Office; more on
the ICO later.
The email provider's story
I spent a lot of time talking to my email supplier over the two days I was
wrestling back control of my account. I felt sufficiently aggrieved by the
initial breach to raise a complaint with them on the grounds that their
security procedures were clearly inadequate. Once again, I wanted to know what
had the scammer known to convince the company that it was me calling.
I have always described the first call to them as “ground zero”, first contact
with the enemy. If I could understand what they knew at this time I could
possibly push ground zero back to an earlier point in time and, hopefully, stop
it happening again.
This has been another five months of frustration and only partial success. The
email provider was worse than the energy supplier as they appeared so
overwhelmed by complaints that their complaints process was totally ineffective
unless you involved the Communications Ombudsman.
Partial success came in the form of a call I had with an agent, one Sunday
morning two months into the process, basically to find out where my complaint
had got to. She looked into my case and was able to tell me that the third
party had made several attempts to gain access to my account on the day until
they were finally successful. I suspect she listened back to this initial call
with her supervisor before coming back to talk to me. She told me that I needed
to raise my complaint with the Ombudsman otherwise the company would not
release the recordings to me. They also told me that personally, she could
always spot a scam call by the caller’s demeanour; brave words that I hope
don’t come back to bite her.
Two months or so later and I’m little further forward. My Subject Action
Request (SAR) was partially successful as it gave me a log of the calls to my
account on the day but unfortunately not all the recordings. Probably the most
chilling item were the notes against the first call which stated in block
capitals SCAMMER; USE THE LAND LINE. Two hours later the log shows that this
warning was missed/ignored and the scammer given access to my account.
While raising the issue with the communication ombudsman may have at least got
the email company to take my case seriously, I was otherwise disappointed with
this Ombudsman’s performance. They appeared happy to accept obfuscation and half-truth
from the company, had difficulty understanding what evidence actually was (as
opposed to assertion) and certainly weren’t prepared to tell the email provider
to hand over the transcripts I required.
Although I appealed the Ombudsman’s findings, this was rejected and I have now
raised this case with the ICO as well.
In part 2 we will look at the mobile phone and the credit card suppliers' stories before reviewing the role of the Information Commissioner's Office and the whole issue of Delay, Deny, Defend, before winding up with some lessons learned
------------------------------------------------------------------------------
Harveywetdog/Author - David Robinson CEng FIET
David spent approaching 50 years in Her Majesty's Electricity Supply Industry before retiring
He was part of the highly successful design team on the Sizewell B Nuclear Power Station Project before spending 25 years producing safety cases to keep our aging AGR fleet generating for the good of the nation
He is responsible for the Harveywetdog YouTube Channel which he maintains as an outlet for his creative talents
David is now in remission from blood cancer but refuses to be a victim
All views are of course his own but might be influenced by the medication he's had to take
.jpg)
Comments
Post a Comment