21-March-2016

7:00 PM -> I started getting calls from a masked number (without a caller ID). I picked up some initially, and thought that someone was just playing a prank  [When I gave this information to Vodafone on the morning of 22-Mar, they asked for “exact” time for at least ten of the calls before they can take any action. I told them that I can give approximates and masked calls do not have a time stamp on my phone history, they simply expressed their inability to do anything]. These calls carried on at regular intervals for almost 4 hours till about 11:00 PM on 21-Mar

11:08 PM -> I get a sms from Vodafone stating “Thanks for your call. Unfortunately your identity couldn’t be confirmed. Please visit a store with your photo ID for verification.” [ I should have called Vodafone customer care at this hour, however I ignored the sms and didn’t]

11:34 PM -> I realised that my data service was not working for the last 30 minutes, and assuming that this was a technical network issue I used my wifi connection to post a message on Vodafone Australia’s Facebook page. I also checked my online Vodafone service dashboard, however there were no flags or indications of any impact on my service. I did not check my voice/text service at this time to check if they were working

22-March-2016

00:11 AM -> I again checked my data services, and realised they were still down. I took a screenshot and posted it on Vodafone Australia’s FB page. My Vodafone App still did not have any flags related to my active services

07:35 AM -> I call Vodafone Customer care to check why my data is still not working. I hadn’t checked my voice or txt services yet, however was able to call Vodafone from my number. The customer care person (using a pseudo name Ivan or something) made me enable disable data, reset network settings, restart the phone etc. He called me back a few minutes later, and transferred my call to the next level. I was told in this call that someone called Vodafone last night, and reported this phone as being stolen which led to my data services being stopped to avoid misuse. I had to authenticate myself, and the services were restored.

I asked two questions to the resolution specialist to which I did not get any satisfactory answers

1. Why did my services dashboard did not flag say anything when my phone was reported stolen or an email sent to me about this loss of phone or barring of services on my account? – I was told that my feedback was valuable and would be passed on to the “technical team”.
2. What can I do to report the multiple calls made to me last night? I was told that no case can be opened till I give the “exact” time for at least 10 of these calls. I offered to give estimated time for the calls, however the lady at the other end expressed her inability to do anything about it

12:01 PM -> My services were stopped again, and I was getting a SOS only message on the cell phone. I was in transit when this happened, and it took me about 40 minutes to call Vodafone from a different number. This time customer care told me that someone had collected a SIM, and activated it with my number. I asked how was that possible, and how can a duplicate SIM be given to someone without a valid ID check. Also asked where this duplicate SIM was issued to the customer pretended to be me – No response. I was transferred to the second level, and the supervisor Mac (Real name Mayank) told me that my number was activated on the duplicate SIM because the called completed their three point verification over the phone call, and he knew my Vodafone PIN as well (The only people who know this PIN are either Vodafone or me; my Vodafone pin is not written, never documented, never shared with anyone ever)

I asked when and how a duplicate SIM was issued, however it was not shared with me.

The supervisor changed my pin, and asked me to updated my DL number on Vodafone records as they still showed an ACT DL, and not my current NSW DL.  I was also given instructions to file a Fraud Escalation report and submit it to Vodafone.

12:55 PM -> While I was still on call with Vodafone, I got an SMS from Commonwealth Bank to call them urgently on 1800 023 919 (Group Security number).

About 1:15 PM -> I was at the Vodafone retailer updating my DL details with him, when I got connected with CBA over the phone. I was asked a few questions to authenticate myself, and then about some credit card transactions in Plumpton, NSW. I told the CBA representative, that I was still awaiting these credit cards, and hadn’t received them yet. I was told that there is a possibility that these were stolen from the mailbox or in transit, and were being used fraudulently. He also mentioned that the credit cards were now being blocked, and a report was being initiated on my behalf internally as I had not received these cards yet. Also that the cards would not be sent out in mail now, and I would need to collect them in person at the nearest bank branch

1:45 PM -> I was monitoring my CBA app for the savings account, and in the process also tried to login to Net banking, however my password was not working. I rushed to the closest CBA branch which is about 5 minutes away from my house

1:53 PM -> On my way to the bank, I was online on the CBA app, however was being thrown out because of multiple sessions. Looks like someone else was also using my credentials on a different phone. I also got an SMS with a 4 digit code for cardless withdrawal from an ATM. By this time I had figured out what was happened. Someone else had taken over my Vodafone number, reset the passwords, received pins, changed daily cash withdrawal limits, installed the bank app and was now trying to withdraw cash.

2:00 PM -> I was in the bank and realised that there was a transfer made between my CBA accounts to enable the cash withdrawal as I keep the bare minimum in my day to day account, however I was already with a bank employee helping me out with this by the time. My current net banking was deactivated and then cancelled, all devices registered to use CBA app were disconnected, a new net banking account created, and new passwords generated to prevent any further fraudulent activity.

2:15 PM -> I was at the Police Station to file a report, and get an event number generated. This was also required by the bank to update in their records. The constable was really helpful, and got me a form to fill with as many details as possible related to the incident. An event number was given to me, which I then passed on to the bank. I was asked to get details of transactions from the bank, and submit it to the police, however bank employees were not authorised to print those out (probably because the case was opened in Group Security, and the cards were frozen)

4:30 PM-> I was back home, and set up my net banking, and app from scratch. Downloaded a copy of the fraud escalation report

**********************

Back to work while trying to make sense of the whole thing. This is how I summarise the whole incident now

1. CBA sent the cards in unsecure mail leaving it open to multiple opportunities of misuse.
2. Someone knew there were credit cards inside the envelop (Its either the postman who gave this envelop away or did not tuck it in the locked letterbox properly making it easy to access by anyone walking by on the street)
3. Numerous phone calls on 21-March were an attempt to switch off my phone, so that it’s easier for the caller to prove that my number was lost, and I do not realise/get any messages (Voda only bothered to send an sms to the stolen number, and did not have a flag on the service dashboard, or an email sent out)
4. Someone called in to report a stolen phone, and Vodafone stopped the services to avoid misuse, without confirming if it’s a valid issue or not
5. The first level customer care was troubleshooting technical issues, while it was very clear that my services were stopped by Vodafone because of the call made earlier
6. The resolution team at Vodafone refused to file an issue about unwanted calls if I did not give them atleast 10 exact timings. I offered to provide estimates, but they refused to acknowledge
7. Even though I got the services reactivated on the morning of 22-March, and used both voice and data throughout the morning, duplicate SIM was issued to an unknown person and then activated as well. I understand that someone can somehow get access to my DL number, and date of birth, however it’s impossible for anyone to know my pin as its not documented anywhere. Its only Vodafone representatives who know the pin as its logged in their system
8. Vodafone resolution team this time only casually directed me to a Fraud Escalation report and a third party related to Identity theft, without taking this issue up right there and then and initiating an investigation. I am expected to download a form, fill it, print it, get a statutory declaration signed by a JP, and then submit it to Vodafone team
9. I am filing the fraud escalation report to Vodafone today (24-Mar-2016), and also exploring ways to formally complaint to appropriate government bodies about how Vodafone made it extremely easy for someone to take a new SIM, and activate it with my number