A devastated nurse has been left penniless and will have to change his name after sneaky ‘simjacking’ hackers stole almost everything – including his identity.
Ruthless thieves managed to con Optus staff into giving them total access to Sydney man Mark Donnelly’s phone number which let them reset passwords on all his bank accounts.
Within a matter of minutes, they had drained $34,000 out of his savings and credit cards and transferred it into untraceable cryptocurrency.
The hack also allowed them to access his emails and personal documents including vital identity papers like passport, driving licence and birth certificate details.
Devastated nurse Mark Donnelly (pictured) was left penniless and will have to change his name after sneaky simjacker hackers stole almost everything – including his identity
Now he’s had to block credit agencies from granting any loans in his name while he changes his name and rebuilds his life and his identity.
‘It’s absolutely terrifying,’ he told Daily Mail Australia. ‘They’ve taken everything – and is shocking how easy it was for them to do it.’
Mr Donnelly, 46, from Blacktown in Sydney’s west, woke up a fortnight ago to find his iPhone 12 suddenly had no mobile connection and was only allowing SOS access.
He quickly contacted Optus who gave him a new sim card for the phone which immediately fixed the problem, foiling the first attempt to hack him.
Within minutes, hackers had stolen $34,000 from Mark Donnelly (pictured) out of his savings and credit cards and transferred it into untraceable cryptocurrency.
The ruthless thieves managed to con Optus staff into giving them total access to Mark Donnelly’s phone number which let them reset passwords on all his bank accounts.
Two days later though he had exactly the same problem – but this time Optus store staff told him it was an issue with his phone and referred him to Apple for a repair.
Unknown to Mr Donnelly though, the simjackers had posed as him online to Optus and demanded they issue an esim in his number.
Many modern phones no longer need physical sim cards and can use a virtual esim which gives any suitable phone full access to the mobile phone number.
While Mr Donnelly was trying to fix his problem, the hackers were busy using the phone number to access his bank accounts and resetting his passwords by two-factor SMS authentication.
Banks use the mobile phone number they have on record to confirm a user’s identity and sends a passcode to the phone which then allows passwords to be changed.
Within minutes, Mr Donnelly’s savings and cheque accounts had been emptied into cryptocurrency where they were spirited away to an untraceable account.
The hackers had even used the phone number to access ANZ’s Shield app – designed to protect customers – to allow them to transfer large sums out of the account.
By the time his partner realised they had been robbed, it was already too late.
It then took hours on hold trying to talk to three different banks and Optus to shut down accounts before the hackers did even more damage.
‘The hackers were trying to extend my ZipPay credit to $10,000 but luckily they realised something was wrong and locked the account,’ said Mr Donnelly, an operating theatre nurse at Westmead Hospital.
‘I was on hold to ANZ Bank for an hour and half trying to speak to someone and my adrenaline was just going through the roof. I just needed to speak to someone but couldn’t get through to them.
‘It was just sheer panic. I was like, “Oh my god, where’s all my money gone?” They put a freeze on all my accounts but then I had absolutely no access to money at all.’
While Mark Donnelly (pictured at work as a nurse) was trying to fix his problem, hackers were busy using the phone number to access his bank accounts and resetting his passwords
The hackers had even used the phone number to access ANZ’s Shield app – designed to protect bank customers – to allow them to transfer large sums out of the account
With all his accounts finally locked, he and his partner were left with just $200 to live on while they battled to unravel the damage.
A check on a website f-secure.com revealed enough of his personal details had been exposed online in hack attacks on company databases for hackers to pretend to be him online to Optus, and get the vital esim to clone his phone.
‘It was a real eye opener to how unsafe you are these days,’ he said. ‘I’d done nothing wrong. No-one had accessed my phone – I’ve got a passcode and Face ID on it.
‘It’s made me realise just how much information about customers companies are leaking in hacks. No-one seems to know about this or how devastating it can be.’
Mark Donnelly (pictured) and his partner were left with just $200 to live on while they battled to unravel the damage caused by the simjackers
He had to take days off work to try to fix the problem and says while almost all the money has since been refunded, Christmas has been ruined.
‘It’s just the stress of something like this,’ he said. ‘Christmas is over.’
Mr Donnelly is now changing his name to stop any more damage being done and has blocked loan applications in his current name.
He’s having to change his email address and all passwords and has ordered Optus to refuse any esim or phone number porting requests unless he is physically in a store with photo ID.
And he’s even considering hoarding his savings in cash under his mattress to keep it safe in future.
‘Now I’m questioning if I keep the money in the bank,’ he admitted. ‘Should I keep on saving? Should I have a bank account where you’re only allowed to withdraw with two signatures and have to be in the bank?
‘Some older people keep their cash under the mattress because they doesn’t trust banks…maybe they’ve got a point!’
Mark Donnelly (pictured) is now changing his name to stop any more damage being done and has blocked loan applications in his current name
He added: ‘I just hope that publicising this helps save even just one person from going through what I have.
‘It’s an absolute nightmare how easily you can lose everything without doing anything wrong. I’m going to have to change my name to protect myself now.’
An Optus spokesman said the hackers had used Mr Donnelly’s personal details to pretend to be him online to get access to his account.
‘An individual posing as the customer was able to access the Optus profile and change the contact details for the account,’ said a spokesman.
‘[They proceeded] to activate a new prepaid plan using the customers personal information (which all matched what Optus had on file.)’
Optus added: ‘Unfortunately identity theft continues to be an issue for many Australians.
‘We encourage customers to regularly change their passwords, not re-use passwords and aim to keep their personal information secure.’
***
Read more at DailyMail.co.uk