It's surprisingly complicated to register a new mobile phone service in Australia, but sadly all too frighteningly easy to get one fraudulently ported away from its rightful owner. New standards being brought in by the ACMA want to make that kind of criminal effort much harder.
Not that long ago, I had to pick up a new mobile SIM in the UK while I was there on holiday. Expecting plenty of paperwork, I went in with lots of identifying documents, only to be sold the freshly activated SIM card with essentially no questions asked. Which was a lovely smooth process, but one that did sit with me in stark contrast to the way such matters are conducted in Australia.
Here, if you want a new mobile service, you've got to provide a lot of qualifying information for any phone service. That's a standard that's government-mandated, too, so telcos really can't skip out on it.
What is substantially easier – and I've had to help more than one family member do this, sometimes when they're just not capable and in one memorable case where two different telcos utterly botched the process – is porting an existing number to a new SIM card.
It's often no more difficult than knowing a date of birth or postal address, both of which aren't actually that hard to discern. I could rather trivially find much of that information just from dipping into friend's Facebook accounts, not that I'm going to do so.
But what value is there in taking over somebody's phone number anyway? Plenty of value, as it turns out. A lot of systems, including most major banking systems use two factor authentication including SMS as a verification check method. Take over somebody's phone number, and all those verifying SMS messages are heading your way instead of the honest owners.
How bad is the problem? It forms part of what's broadly referred to as identity theft, and the Australian Federal Police estimate that identity theft crime as a total costs Australia around $1.6 billion annually. That's a lot of zeroes.
In an effort to curb that kind of crime, the Australian Communications Media Authority (ACMA) has announced the Telecommunications (Mobile Number Pre-porting Additional Identify Verification) Industry Standard 2020, because these kinds of standards always have long, legalese-type names.
So what's the new deal for switching up your mobile number, and will it really protect you?
What do telcos need to do under the new standard?
The new standard requires telcos to add at least one additional verification process besides the existing general standard of usual identifying factors, such as your date of birth or place of residence.
This can be by telco representatives confirming that the person making the request has access to a mobile device containing the SIM (or eSIM) already associated with the number by calling it, and either noting in-store that the correct device rang, or by calling back the requested number if you're dealing with a call centre.
Alternatively, telcos can opt to make that secondary verification check via SMS and a one-time unique code, which is very classic two factor authentication already in play. If somebody's trying to port your number to their own device and a new SIM, you'd be alerted fairly quickly that this was happening that way, and they wouldn't be able to as easily grab the unique code.
Telcos could also opt to use biometric authentication methods to complete that check.
In cases where devices and biometric data are lost, the standard also allows for verification via identity documents of a sufficient quality, such as a driver's licence, passport or birth certificate. In these cases, the new standard calls for the use of at least two qualifying documents.
Can my telco charge me for the additional verification steps?
This is explicitly prohibited by the new standard, which notes:
A mobile carriage service provider must not charge a fee to a customer, or the customer’s authorised representative, for an SMS message used to complete an additional identity verification process.
Mobile Number Portability has been the case for Australian mobile users since September 2001, and outside of any unpaid existing charges or contractual obligations you may have signed up for, telcos are not allowed to levy any fees for the porting process itself.
Can I choose which verification method to use?
Probably not in the first instance. The choice of verification systems rests with the telcos, because it's their responsibility to manage the mobile number porting process. It seems fairly likely that many of them will opt for the unique code via SMS option, because it's already hard-baked into many of their systems and consumers are generally already aware of how to use these kinds of systems.
That being said, this isn't a standard that's designed to make it impossible for you to genuinely port your own mobile number or help others do so in a legitimate way. If you're not able for legitimate reasons to use, say, two factor authentication via SMS, telcos would have to offer other methods of verification to meet both their obligations to their customers and under the standard.
When does the new standard become mandatory?
The new standard kicks in from 30 April 2020, although it's possible that some telcos may already be implementing these kinds of steps when a mobile number porting process is initiated.
Will it really keep my mobile number safe?
No security system is perfect, and a very determined individual could potentially find ways around some of the provisions of the act. There's examples of criminal types bypassing SMS 2FA security by the simple expedient of bribing call centre workers, which would get around this level of security. If your telco offers it, a different and more secure method of authentication, such as biometrics or a physical device you have to present would be a tougher nut for thieves to crack.
What if I'm concerned I've already been compromised?
There's some key steps to take here. You should definitely contact your financial institutions (banks and the like) and put a temporary freeze on all of your accounts to stop funds being siphoned from them. Also contact your mobile provider to try to reverse the swap and stop any kind of premium calling or other activity that could cost you further money.
You should also contact IDCARE, a charity that specifically works to help people impacted by identity theft to sort out the issues that can arise there.