Optus Mobile has paid $A826,320 in penalties after scammers exploited vulnerabilities in its identity verification systems. The Australian Communications and Media Authority (ACMA) found Optus operating as Coles Mobile breached telco anti-scam rules on 44 occasions between 23 September and 23 October 2024.

According to ACMA's investigation report, scammers bypassed required verification processes through weaknesses in a third-party identity verification system. This enabled unauthorised mobile number porting, giving criminals control of consumers' mobile services.

At least four consumers suffered financial losses totalling $A39,000 after scammers accessed their bank accounts through the compromised mobile services. The investigation also found instances of identity theft.

The breaches occurred when Optus failed to properly implement additional identity verification processes required under the Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020. The standard requires mobile carriers to confirm a person requesting a port is the legitimate account holder and has access to the mobile device.

ACMA's investigation revealed that while Optus sent unique verification codes via SMS to the 44 affected mobile numbers, unknown actors were able to bypass the verification system due to deficiencies in Optus' systems. The specific technical details have been redacted from public documents due to security sensitivities.

Authority Member Samantha Yorke said the case demonstrated severe impacts on Australians from scammer attacks. "While this was a one-off issue which was quickly remediated, it is inexcusable for any telco not to have robust customer ID verification systems in place, let alone Australia's second largest provider," Yorke said.

"Scammers are always looking for any weaknesses in systems, and on this occasion Optus left a vulnerability which directly exposed people to harm," she said.

The $826,320 penalty represents the maximum financial penalty ACMA could impose under the infringement notice provisions. Each of the 44 contraventions carried a penalty of 60 penalty units, calculated at $313 per unit, totalling $18,780 per breach.

ACMA noted that Federal Court proceedings could have resulted in significantly higher penalties, but Optus chose to pay the infringement notice within 28 days, discharging its liability without admission of fault.

Disrupting mobile number fraud is a current ACMA compliance priority. Australian businesses have paid more than $A1.9 million for breaches of the mobile number pre-porting standard in the last 12 months.

Mobile number porting fraud remains a significant attack vector for account takeover and identity theft. Once criminals control a mobile number, they can intercept two-factor authentication codes and password reset links, enabling access to banking, email and other critical services.

ACMA advises consumers who suspect they are victims of phone scams to contact their telco and financial institution immediately. The incident underscores the need for organisations to implement defense-in-depth strategies for identity verification, particularly where third-party systems are involved.