A devastated nurse has been left penniless and will have to change his name after sneaky 'simjacking' hackers stole almost everything - including his identity.
Ruthless thieves managed to con Optus staff into giving them total access to Sydney man Mark Donnelly's phone number which let them reset passwords on all his bank accounts.
Within a matter of minutes, they had drained $34,000 out of his savings and credit cards and transferred it into untraceable cryptocurrency.
The hack also allowed them to access his emails and personal documents including vital identity papers like passport, driving licence and birth certificate details.
Devastated nurse Mark Donnelly (pictured) was left penniless and will have to change his name after sneaky simjacker hackers stole almost everything - including his identity
Now he's had to block credit agencies from granting any loans in his name while he changes his name and rebuilds his life and his identity.
'It's absolutely terrifying,' he told Daily Mail Australia. 'They've taken everything - and it is shocking how easy it was for them to do it.'
Mr Donnelly, 46, from Blacktown in Sydney's west, woke up a fortnight ago to find his iPhone 12 suddenly had no mobile connection and was only allowing SOS access.
He quickly contacted Optus who gave him a new sim card for the phone which immediately fixed the problem, foiling the first attempt to hack him.
Within minutes, hackers had stolen $34,000 from Mark Donnelly (pictured) out of his savings and credit cards and transferred it into untraceable cryptocurrency.
The ruthless thieves managed to con Optus staff into giving them total access to Mark Donnelly's phone number which let them reset passwords on all his bank accounts.
WHAT IS SIMJACKING?
Simjacking is when hackers pose as a customer to get a telephone company to either give them a replacement sim card or an esim - a virtual sim card activated online - for the customer's number.
A few basic details like name, email address, home address and date of birth are often all that's needed to get the duplicate sim card.
Those details are often available online from hacked databases of large corporations like Facebook or Adobe.
Hackers can also open a new phone plan with another telco and pretend the victim's number is theirs and ask the telco to transfer or 'port' it to their new plan.
Once hackers have access to the phone number, they can then use that to exploit a weakness in online security checks.
Hackers can reset passwords on bank accounts by requesting two factor authentication using SMS text messages.
Banks then simply send a passcode by SMS text message to the customer's mobile phone number on file - which now goes straight to the hacker using the duplicate sim.
The hacker can then reset the password on bank accounts to access them - and then transfer money anywhere.
Two days later though he had exactly the same problem - but this time Optus store staff told him it was an issue with his phone and referred him to Apple for a repair.
Unknown to Mr Donnelly though, the simjackers had posed as him online to Optus and demanded they issue an esim in his number.
Many modern phones no longer need physical sim cards and can use a virtual esim which gives any suitable phone full access to the mobile phone number.
While Mr Donnelly was trying to fix his problem, the hackers were busy using the phone number to access his bank accounts and resetting his passwords by two-factor SMS authentication.
Banks use the mobile phone number they have on record to confirm a user's identity and sends a passcode to the phone which then allows passwords to be changed.
Within minutes, Mr Donnelly's savings and cheque accounts had been emptied into cryptocurrency where they were spirited away to an untraceable account.
The hackers had even used the phone number to access ANZ's Shield app - designed to protect customers - to allow them to transfer large sums out of the account.
By the time his partner realised they had been robbed, it was already too late.
It then took hours on hold trying to talk to three different banks and Optus to shut down accounts before the hackers did even more damage.
'The hackers were trying to extend my ZipPay credit to $10,000 but luckily they realised something was wrong and locked the account,' said Mr Donnelly, an operating theatre nurse at Westmead Hospital.
'I was on hold to ANZ Bank for an hour and half trying to speak to someone and my adrenaline was just going through the roof. I just needed to speak to someone but couldn't get through to them.
'It was just sheer panic. I was like, "Oh my god, where's all my money gone?" They put a freeze on all my accounts but then I had absolutely no access to money at all.'
While Mark Donnelly (pictured at work as a nurse) was trying to fix his problem, hackers were busy using the phone number to access his bank accounts and resetting his passwords
The hackers had even used the phone number to access ANZ's Shield app - designed to protect bank customers - to allow them to transfer large sums out of the account
With all his accounts finally locked, he and his partner were left with just $200 to live on while they battled to unravel the damage.
A check on a website f-secure.com revealed enough of his personal details had been exposed online in hack attacks on company databases for hackers to pretend to be him online to Optus, and get the vital esim to clone his phone.
Source : https://www.dailymail.co.uk/news/article-10334181/Simjacking-Mark-Donnelly-lost-hackers-cloned-phone.html1363