In 2014, UK authorities warned that criminals were taking over victim's cell phone numbers and using them to get into the victim's bank accounts. Now, a social engineering expert is warning that taking control of someone's phone number is easier than previously thought, thanks to a code normally made of three letters and six numbers called the Porting Authorisation Code, or PAC.
All a criminal needs to know for this fraud is the victim's phone number, name, some other information that can usually be found online, such as their date of birth, and some simple social engineering skills to trick cell phone carriers' support agents into giving out the code, according to Richard De Vere, a consultant who specializes in social engineering.
De Vere, who is the director and principal consultant at The AntiSocial Engineer, said he initially got the idea of using PAC codes to take over people's cell phone numbers when he got a code for himself six months ago. PACs are free codes that cell phone companies are required to provide to customers when they want to switch operators while keeping their number.
"This isn't about bashing brands, this is about securing people en masse."
The whole process "was a bit too easy," he told Motherboard. So he decided to test just how easy it is to get PACs from other UK cell phone carriers. De Vere detailed his findings, including videos showing how he tricked operators to give up a PAC code for his cell phone number in a blog post published on Wednesday.
"The issue with PAC numbers is they have to get from the operator to the customer as securely as possible," De Vere wrote in the post. "A big part of this transaction is the trust an operator must place in a caller. They should all work on securing this trust better."
As it turns out, some UK telephone carriers, such as EE and Three, gave De Vere the codes directly over the phone, despite the fact that he was calling from another number (a landline at that) and at times even providing incorrect verification information, such as the amount of the last "top up," or account refill.
That should "never, ever" happen, according to De Vere, because it makes things "easy" for the criminals. Operators should call the mobile phone number, or send it via SMS instead, De Vere said.
"A big part of this transaction is the trust an operator must place in a caller. They should all work on securing this trust better."
De Vere was simply testing this on numbers he owned, but if he had been a criminal taking over other people's phone numbers, he could have done real damage. Once in control of the numbers, he said, he could've use it to approve bank transactions with SMS notifications, bypass two-factor authentication on online accounts such as Gmail, and do other types of fraud.
That's why De Vere wants operators to be more careful when giving out PAC codes.
"This isn't about bashing brands, this is about securing people en masse," he wrote in his post.
Three, and GiffGaff did not respond to Motherboard's request for comment. EE admitted that the support agent who talked to De Vere did not follow the "standard protocol" to hand out PAC codes, but declined to specify exactly what the standard protocol is, saying only that the company asks "for a range of details for authentication and it appears as though that didn't happen fully this time." The spokesperson also added that EE normally requires the SIM number or ID, as the company's agent did in the phone call with De Vere.
O2, which was the company that fared best according to De Vere, said he was able to "pass a two-step authentication in order to have his PAC code shared with him verbally," but that happened only because he had the target cell phone under his control and he received a PIN code the company sent to him. If he hadn't been able to verify the receipt of the PIN code, the company would have not shared the PAC code verbally, an O2 spokesperson said.
Vodafone said the support agent agreed to send the PAC via text message because De Vere answered all security questions correctly other than the top up amount. "This approach ensured the security of the customer's account," a Vodafone spokesperson said.
If you're worried about criminals stealing your cellphone number, De Vere suggests calling your operator and asking for additional security measures such as a PIN or password to be requested when calling support agents. Otherwise, better solutions are in the hands of the operators.
"They've got the methods there, they've got the tools, they've got the passwords, they've got the ability to do it," he told me. "But day to day, they're just not doing it."
This story has been updated to add comments from EE and Vodafone.